Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« July 2017 | Main

August 07, 2017

Another AppleID Phishing Attempt Permalink

Talk about your fake news:

Fake AppleID Login Email

The main psychological trigger to action here is that supposedly someone other than yourself has managed to hijack your AppleID account and successfully logged in. That, of course, would make it possible to download all kinds of iTunes content on your credit card. The sender knows you haven't logged in with a Chrome browser running on Windows from a computer in Indonesia. It's all to get you to click the link, which probably links to a form where you are asked for your AppleID and password. Now that would give your account away to a crook.

These days, all users must train their eyes to spot fake email messages, such as this one. You have to set aside for a moment the main heart-pounding, adrenalin-gushing fear on which the crook is playing to get you to click the link.

Instead, RESIST, and take a calm moment to look more closely at the details of the message. This one, for instance, has lots of problems:

  1. The phrase "via iCloud web browser" in the Subject: line is very bizarre. There is no iCloud-branded browser, as most modern browsers on all personal computing platforms allow users to log into iCloud. Thus, this is a very odd construction to come from Apple. Remember that Apple communications of this nature will have been edited, vetted, and lawyer-approved before ever leaving Cupertino.
  2. Not shown in the image above was the From: field, which reads: Apple Support <nevas0r0c@besarque-ambon.business>. Most email clients display only the plain-language part of the address (the part not inside brackets), which, on the face of it looks legit. But the actual email address is not related in any way to apple.com. In fact, it is one of the class of new Internet domains, .business. In my experience, the bulk of email addresses bearing these new domains are the world's worst spam
  3. The two paragraphs after the itemized list contain multiple grammatical errors that would never survive Apple's vetting process
  4. If you roll your cursor atop the link, you see a bit.ly link. Again, something Apple would never utilize in a customer communication.
  5. Finally, look at the bottom of the message, which is intended to include links to things like Apple Support and the company's Privacy policy. Number one, they're not links in the message. Number two, the copyright line cites a fake company that is not close to Apple. For comparison, here is the same closing I found on an iTunes Store receipt:
    Genuine Apple message closure
    The genuine one, as you might expect, includes an Apple logo.

Be extremely cautious and vigilant when any email message arrives talking about one of your accounts or passwords. Don't be a victim of fake news.

Posted on August 07, 2017 at 08:54 PM

August 02, 2017

Preposterous Spam Permalink

If we can learn anything from the Internet in the past year or two, it's that fake news penetrates.The more preposterous the item, the more likely readers will not only read the story, but they'll retweet or share it to hundreds or thousands of other users, spreading outright lies left and right. Spammers have been employing these techniques for years.

Spammers have two main barriers to achieving their goals.

The first is strictly technical, to employ whatever tricks up their sleeves to get as much volume into recipient inboxes as possible. This means slipping messages past network, incoming mail server, and client software spam filtering.

The second barrier is human. It's actually a two-part road block. The first is to somehow entice the recipient to open the message, usually by way of clever or interesting-sounding Subject: and From: headers whose content appears in the inbox list of mail. Once a user has opened a message, the final human barrier is tricking the user into acting on the content, whether it be to open an attachment (usually malware) or click a link (to either a product offering or malware installer).

Some people might think that the human barrier, populated by non-artificial intelligence, would be the harder barrier to overcome. Although oceans full of spam is blocked every day before reaching inboxes, a sufficient amount manages to get through to keep the spammers going. And, as the attraction of fake news has proven, humans by and large are gullible targets for any kind of psychological online trick.

Consider these two Subject: lines from real spam received here at SpamWars HQ:

  • Scandal ends Mark Zuckerbergs run at Facebook
  • Ellens last day: The star quits her show

These blockbuster Subject: lines could have been ripped from supermarket tabloid headlines. All we need now is a report of Ellen DeGeneres giving birth to an ET's baby on a UFO.

As much as I would love it for recipients to ignore these kinds of blatantly fake Subject: lines, celebrity curiosity will lead the high 90s percent to open these messages.

What do recipients see upon opening?


Remember, having lured recipients this far, the spammer's final goal is to elicit action on the recipient's part. That means a click on any of the links. As the URLs of the unsubscribe links demonstrate, they lead only to the same place as the active links in the body. Those unsubscribe addresses and affiliations are as phony as a 3-dollar bill.

As revealed by rolling the cursor atop all of the links (or pressing and holding your finger on the links on a touchscreen — and then sliding your finger away without registering a touch), the URLs contain what could be a complex numeric string that could be linked to your email address. Clicking any one of those links could confirm your email address with the spammer as being valid, inviting additional spam in the future.

Occasionally, a spammer error can give someone like me a brief chuckle. Such was the case of this Subject: line:

  1. This will grow your cancel cells

Unfortunately, curiosity will kill your cat when you open the message to read this tabloidesque message:

You'd think a legitimate pitch would at least make up an affiliation for this supposed Senior Health Researcher. Where? In an RV in the New Mexico desert?

If you look closely at all three messages, despite the differences in page layouts, all of the bogus unsubscribe messages reference someone with the last name of Nieland. Three different first names. Three different locations/states. One is in a telephone answering business services building, the second in a rural home, and the third in an apartment complex. Capital B, capital S, times three. But they are related, and their source code and link structures bear enough similarities to imply a single source of a megaspammer.

We've seen them for decades before. And as long as humans fall for their tricks, we'll see them for decades in the future. [big sigh]

Update

No sooner did I publish this piece when two more spam messages from this campaign arrived, using the same fake news approach:

Posted on August 02, 2017 at 01:50 PM