Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« February 2013 | Main | September 2014 »

April 30, 2013

This Makes Me Mad Permalink

It's one thing to attempt to trick the public at large. But going after a particularly vulnerable segment of the internet population is despicable and shameful:

From: AARP update
Subject: No one does more for people over 50

No one does more for people over 50 than AARP - learn more today:

AARP, 601 E. Street NW, Washington, DC 20049
To unsubscribe please use the link below:

The domain for the links (.pw is for Palau in the Pacific Ocean) was registered waaaay back about 12 hours ago. And not by AARP, as you could guess. I don't have time at the moment to follow the breadcrumb trail of redirections, but the final destination must be a malware loader of some kind. All the better for the crook to keystroke capture his way into the victim's financial accounts.

I'm steamin'.

Posted on April 30, 2013 at 02:45 PM

April 22, 2013

F.U. Spammers and Google Permalink

As I've written previously, when an email message arrives professing CAN SPAM compliance, you can be sure it's lying. Case in point:

Subject: iTunes Email Lists


Greetings of the day, I was reviewing your website and thought might be intrested in our iTunes Email Lists. We maintain contacts with complete information.

Data Quality and Details:

Data fields on each record contains: Contact Name (First, Middle and Last name), Mailing Address, Age, Gender, Income, Interests, Hobbies, Opt-In emails.
Accuracy Guarantee: 75% accuracy on data
Legal Compliance: We are in compliance with the CAN SPAM Act, 2003 and DMA

Please let me know your thoughts towards procuring or using our iTunes Email Database.

To Your Success!
Mary Jackson
Lead Expert

We respect your privacy, if you do not wish to receive any further emails from our end, please reply with a subject “Unsubscribe”.

Sorry, but without a postal mailing address of the sender, this message violates CAN SPAM. Oh, and if you really reviewed my web site, you'd know I don't sell anything directly, so an email list is of absolutely no use to me. Besides, I would never in a hundred million years send out unsolicited email (as any due diligence on my various sites would reveal instantly). The bullshit is rising.

The offer, too, is highly suspicious. Where on Earth—other than Mother Ship Apple itself—could accurate information about iTunes customers originate? I don't think even Apple has details you claim to have accumulated on its customers. Does Apple know about my model train and ham radio hobbies? Impossible.

Then I checked the email message more closely. It arrived to me from a google.com mail server, taking full advantage of its DKIM signature to get past spam filters. The return address, however, is not to a gmail account, but to an address at the registration privacy-protected switchways.com domain. If you attempt to visit that domain in a web browser, you get a page that imitates a Google 404 page, complete with appropriated Google art files.

OK. That room is now filled to the ceiling in bullshit. Time to report this activity to Google.

Another room starts to fill with Google bullshit after I finally (and I mean finally) locate a reporting form. After carefully filling it out and attaching a text file with the message's source code per their instructions, submission results in an error. It says it could not send the form and gives me no indication what the error is. No fields are highlighted. No further explanation is offered.

So, fuck you, Google. Enjoy letting crooks abuse your services and reputation. I won't waste any more of my time trying to help you from being played.

Posted on April 22, 2013 at 06:55 PM
"We are interested in your products..." Permalink

I've lost count of the number of spam messages I've received over the past several months claiming to come from a foreign firm wanting to buy my products. Of course, my domains don't sell any products directly, so I know the request is utter bullshit. Here's one of the latest ones:

From: NZTradingLtd
Subject: New P.O

Dear Sir/Madam,

I am Ms.Suha Arafat, the Purchase Manager of NZ Trading Ltd.,based
in Dunedin, New Zealand.

We are interested in purchasing your products as exactly shown in
the DATASHEET as attached in this mail.

Please check and get back to us as soon as possible with your last
price,payment terms and delivery time.
Your response will be highly appreciated.


Suha Arafat

Purchasing Manager
NZ Trading Ltd.
173 Maclaggan St.
Dunedin, New Zealand
E-mail: NZTradingLtd@[removed]service.com
Telephone Number : (64) 3 929 [removed] Ex 5
Fax Number: (64) 3 929 [removed]

The attachment is a 771 KB file named Order No1.zip. Running the file through VirusTotal reveals it is a well-known generic Trojan. I believe the primary aim of these types of malware deliveries is to infect computers of small businesses that also use those computers for online banking. Implanting a keylogger on such machines will quickly reveal to the crooks whether the computers can be hijacked for major funds extraction through money mule networks (aka work-from-home scam victims).

While I know such requests directed at me aren't worth the paper they're not printed on, lots of small businesses hungry for new customers might not be so discerning. A minimum of nerdy due diligence with the message's headers would elevate the "stink" level of this inquiry (having been sent through a South African garden supplies company's email system). Sending a purchase order in a .zip file should be another smell bomb. A Google search would lead you down a trail mapped out by squirrels, where the same supposed corporate building with the same vehicle parked by the front door (based on nondescript web site images) is located in both Auckland and Dunedin.

Crooks know that the old adage of something too good to be true is ignored by enough potential victims to go ahead and offer something that is too good to be true, such as an international purchase order coming in over the transom (I know, I'm really showing my age). But the cost of acquiring this "customer" could be many tens of thousands of dollars.

Posted on April 22, 2013 at 04:20 PM

April 06, 2013

When Crooks Mess Up Permalink

Few things make me happier than seeing a crook self-destroy an attempt to con his spam recipients out of something valuable. Here is an example from a wayward 419 (advance fee) spammer who, for lack of one word ("million"), ruins his chance of catching the lazy/greedy/dreamy recipient in his snare:

Attention please!!!

We have registered your ATM CARD of (US $2.5) with dhl Express Courier Company with registration code of ( 9665776).please Contact with your delivery information:
E-mail: (dhl-service203@[removed].com)
Tel: +229-[removed]
We have paid for the Insurance & Delivery fee.The only fee you have to pay is their Security fee only.Please indicate the registration Number of ( 022-82797457 )and ask Him how much is their Security fee so that you can pay it.
Best Regards.
Mr Stanley Brown

What I like about these attempts is that the mailing had to cost the sender something—not much, mind you, but something of value. By failing to proofread his scammy spam message, he greatly reduces the chance of hooking a sucker to recoup the investment.

On the flip side, I do hope that an email newby doesn't engage this guy in an email exchange, inquiring why there would be a security fee on a card worth less than three bucks.

Posted on April 06, 2013 at 09:27 AM