When a German-language spam arrived here with all kinds of talk about "die Bankenkrise" (bank crisis) and "Panik," I first imagined that the link would be to some sort of e-gold or other type of squirrely money equivalent.

Hier ist Ihr Geld sicher: http://www.[removed].org

(Your money is safe here)

What exactly is this safe haven for our dwindling cash?

Would you believe an online casino?

Mit freundlichen Grüßen,
Danny

The first goal of an attachment delivery message—once it has made it into an inbox—is to create enough curiosity or outrage in a simple message to get the recipient to open the file. I personally believe that the outrage approach is more easily exploitable against cautious recipients who are more likely to trash an email from an unknown sender containing an unexpected file.

An example arrived today that will surely get the dander up on quite a few recipients:

Subject: Your bill. Please pay within the next week.

The bill is attached. Password is 123.

The attached file is named bill.zip, and VirusTotal reports that only 22% of its list of antivirus products identified it as anything suspicious. A lot of very big antivirus names missed it (at this hour, anyway). So, if the recipient was outraged at receiving a bill from a karate studio (as indicated in the forged From: field of the copy I received), he or she would open the file to find out what it's about and contest it...by which time a Trojan downloader has already been installed on the PC.

It's just another example of what I call the "impending doom" trick to get recipients to act. With the world financial situation going through troubled times, I fully expect crooks to experience a boom in doom.

You've seen the typical 419 lottery letter: Your email address was picked at random to be the winner of a multi-million (dollars/pounds/euros) prize.

Today I saw a hybrid—not only of these two scams, but a further scam-de-scam-scam on the scam. The 419er's story has more layers than an onion.

The sender identifies himself as follows:

FROM: MR. EMMANUEL.U.EMERUEM
PUBLICITY SECRETARY,
FOREIGN PAYMENT PROCESSING UNIT,
UNION BANK NIG. PLC
Our Ref: UBN/IRD/UBX/021/07

I'm omitting the telephone number and email address—the only two pieces of information that are real. When I saw the sender's name, I did a "redrum" check to see if he was at least trying to play a clever trick. I think I gave him too much credit.

The body of the message is overlong (and in all capital letters), so I'll peel the layers for you one by one.

Layer I.
A bunch of American contractors/philanthropists (?) and their families died in a bomb blast a few years ago (obligatory link to a 2003 BBC News item included for good measure). Despite a desperate search, no heirs could be found, and $4.7 million is sitting in a Nigerian bank.

Layer II.
The President-elect of Nigeria wants to "salvage the image" [lower-cased for your protection] and "restore the international relationship" of Nigeria. This magnanimous president directed the Nigerian bank to conduct "an electronic computer random ballot system for all emails [sic] users drawn from over emails [sic] address [sic] of individual [sic] and companies from Africa, America, Europe and Asia." [sick] Wouldn't ya know it, my email address was picked as the lucky winner! I am advised to "donate to some motherless or orphanage homes to help the less prevelages. [sic] It is mainly for the upliftment [sic] of human growth." (Not to be mistaken for human growth hormone spam.)

Layer III.
Lest I dawdle in claiming the winning prize, Mr. Redrum then reveals that "a woman with British passport came to my office few days ago with a letter, claiming to be your true representative." OMFG!! Someone's trying to cheat me out of my prize! "If we do not hear from you within the next three working days from today the fund will be remitted to Mrs. Susan Barker and this bank will not be held responsible and this our email communication shall be our evidence against you in case of any scandal or law action by you against the management of this bank."

Holy crap, that's a lot of bait on the hook. It's like the kid who uses up too much material to explain missing homework: "A burglar stole our dog who ate my essay after a plumbing leak soaked my backpack."

Because some people still fall for 419 schemes, this tall tale will certainly get those types of folks to act. Even if they're not sure about the "prize" money, they may be concerned that someone is going around Africa claiming to represent the recipient. Except that the sender doesn't have a clue who the recipient is—"ATTENTION DEAR FRIEND"—and there is no one making such claims. Anyone foolish enough to contact this guy by email or especially by phone is treading dangerously close to being conned by very convincing crooks, and taken for big bucks.

What were you thinking?

Here is what a recruiting company in Mumbai, India sent me via the spamwars.com contact form:

Hi Sir,
This is vijay here received your e-mail on my ID: [removed]@gmail.com, this e-mail is in regard to assist you in recruitment and staffing, as we are our a leading staffing company + BPO. We understood your requirement, For more details you can write us on vinod@[removed real company domain].com. Awaiting take this relationship forward as business partner.

Regards
vijay
HUMAN RESOURCE
CRUX MANAGEMENT SERVICE Pvt Ltd
Mumbai

Not only have I never heard of this outfit, I certainly did not send any email message to this guy or anyone at the company. And, as a one-man show, I am not hiring and have nothing to outsource. And don't get me started on the lack of English skills to instill confidence in your professionalism.

I wonder if they run radio commercials in India. If so, they can add the tag line: "That's Crux Management Service...building our business through lies and bad grammar. That's Crux Management Service."

The modern-day equivalent is called slipstreaming.

Whatever you call it, I saw a medz spammer doing it today. The following arrived at one of my spamtrap addresses:

Although the ad supposedly promotes a place called Canadian Pharmacy (how many hundreds of these—#1 or otherwise—are there?), note that the message claims to have been sent by way of ABCNews Newsletters, complete with CAN-SPAM-compliant mailing address and opt-out link. But ABC News had absolutely nothing to do with this mailing. All links, from the clickable image to the Privacy Policy, point to a newly minted domain whose registration lists a Russian owner (not likely accurate). The web site is hosted in Panama.

As long as the spammer is lying about being a Canadian pharmacy, he might as well go the full distance and lie about the offer being sent from a legitimate news organization, as if ABC News endorses the company. In the meantime, a lot of recipients will think ABC News is a spammer, as ABC News unwillingly rides the spammer's coattails to contempt.

Subject: The beginning of the Third World War.

Important! The beginning of the Third World War: The Russians used nuclear weapon against Georgia. According to Pentagon, the bomb of 17 megatons in TNT equivalent (which equals to 27 bombs that were used in Hiroshima) was launched at Tbilisi, the capital of Georgia, from the Russian submarine in the Black Sea. According to tentative data, Tbilisi and its suburbs in the radius of 20 km have been leveled to the ground. George Bush, speaking in the name of the whole America, made an official statement, claiming the readiness of the USA and all the NATO members for the retribution operation against Russia and the use of nuclear weapon. Click the link below to view George Bushs address: http://cnnworld.org/index.php?video_id=75198

I normally block the URLs when relating these types of messages, but in this case, the domain name is an important part of the story.

In many past posts about apocalyptic malware lure messages, I recommend visiting legitimate news sites to confirm that the message is a hoax—by the lack of any mention of the end of the world. The site I typically turn to first is cnn.com, mostly because it's easy to type.

At first glance, the domain name in the message might look believable to many. It's short and sweet.

It was also registered yesterday.

If you were to visit the URL in a web browser (DON'T DO IT!), you'd see a page that, again at first glance, has a believable look and feel of the CNN International page:

This is what the upper left corner of the real CNN International World page looks like:

Now, onto the "dialog box" that talks about an ActiveX problem. Here it is in detail:

The alert is a Dynamic HTML absolute-positioned element made to simulate a dialog box window (it's even draggable). If you click the Details button, an alert dialog tells you to download the codec. If you click the Cancel button, you are placed into an infinite loop that forces you to agree to download the codec unless you kill the browser.

Of course, the download is no codec. It's a malware loader named codecpack.v.1.1.18.exe. Unfortunately, at this hour, VirusTotal shows a measly 17% (6/36) detection by antivirus products.

And the botnets grow....

UPDATE (2:54PM PDT 25Sep2008). The site is hosted in Iran, as are the domain's DNS servers. Domain name registrar is eNom.

Every month or so, the Police Blotter listings include some type of report of attempted or successful internet fraud, whether it be an ebay auction gone bad or a 419 email. Yesterday, while listening to the local Sheriff's radios, I heard a dispatcher sending out a deputy to someone who received an email about UPS holding a millions dollars for a citizen. The deputy didn't even have to acknowledge before I suspected a 419 attempt in the works.

This morning I got a chance to see the email because one arrived at my server. Here's the content in full:

Subject: contact ups immediately

Hello Dear,

I have register for your Cheque Draft.But the manager of Eko Bank
Benin told me that before the check will get to you that it will expire.

So i told him to cash $1.5millions united state dollars all the necessary arrangement of delivering the $1.5millions united state dollars in cash was made with UPS DELIVERY COURIER COMPANY.

This in the information they need to delivery your package to you.

DR. JAMES WALTER
EMAIL: ups_de_benin14@[well-known-free-email].com

1.YOUR FULL NAME
2.YOUR HOME ADDRESS.
3.YOUR CURRENT HOME TELEPHONE AND CELL NUMBER.

4.YOUR COUNTRY
5.A COPY OF YOUR PICTURE

Sincerely JOHN BEN

(The funniest part of the message is that supposedly UPS of Benin hired a very well-educated person to handle customer service.)

But let's examine what happened here. A resident of my county received this message and gave it enough credence as either a legitimate offer or a serious enough crime to report to the local sheriff (perhaps thinking they were being specifically targeted). I didn't hear the disposition, but it's unlikely that the deputy had enough online fraud experience to evaluate the offer or know to whom a report should be forwarded.[1] It's folks like my fellow county resident—who may be new to email or haven't ever heard about 419 scams—that I fear for the most. Their hides haven't hardened to the impenetrable shells that we who receive thousands of spams a day have developed over the years. They are susceptible to online scams and are in bad need of public education about them.

-----------------
[1] Don't get me wrong. The dealings I've had with my county sheriff deputies over the years have really impressed me. Mostly Andy and none of the Barney.

From: cory hardison
To: client
Subject: Your internet access is going to get suspended

Your internet access is going to get suspended

http://[removed].com

The inbox listing shows only the From: and Subject: fields. A spammer has only those two fields to make his first impression on a recipient. If it's in an inbox listing, the message has probably survived one or more automated antispam filters. But can the combination of From: and Subject: lines get past a supposedly smarter human filter? If the recipient opens the message, will the message body be sufficiently compelling to incite further action—a visit to a web site?

My first thought on the message above was that it was another impending doom message intended to lure recipients to a malware installation page. This tactic had been used years ago, but usually with the From: field forged to suggest it came from the recipient's own IT department (e.g., if the message was addressed to dannyg@example.com, the From: field was admin@example.com).

Upon safely checking the source code of the destination page, I discovered that the site was instead one of seemingly thousands of phony Canadian pharmacies (running on a bot-infected computer on the Japanese @NetHome network). This type of misdirection always puzzles me. Given the fact that the message is intended to instill fear and dread into the recipient, how is that person supposed to react to a medz spam site instead? Is he so relieved that his internet access won't be suspended that he'd better stock up on Viagra to shtup his significant other? Or is she supposed to reflect on how afraid she was and pick up some illegal (if not deadly) anti-anxiety drugs to lessen the impact next time?

Perhaps I'm just saturated by American marketing methods, but I don't understand how this type of advertising can possibly be worthwhile. If the spammer wants to go through all kinds of motions and not sell anything, let him hire Jerry Seinfeld and Bill Gates to appear in the message and at least try to entertain us.

Such, apparently, was the case of Vice Presidential nominee, Sarah Palin, whose Yahoo email account was reportedly cracked this week. If we can believe the self-confessed cracker's own account, all it took was a little bit of Googling to answer successfully the three challenge questions (one of which could have had a lot of possible combinations in the answer).

Certainly, the target in this case was a potentially juicy one. But even if you're not in the public eye, your login credentials to a variety of accounts could be of substantial value—if not directly monetarily, then for possible leaks of inside corporate information or even offhand comments in email that could get you fired or worse.

When I'm faced with a choice of security questions, I aim for the one whose answer is the least-possibly guessed by an internet troll. At the same time, however, I have to pick one whose answer I will not forget. Sometimes the choices are so limited, it's damned impossible to be opaque.

I'd much rather be allowed to create my own security question because there are people I've known, places I've been, things I've seen for which no internet trail exists—yet those things are so ingrained in my life's memory that I'll always remember them. They're just not important enough to others for me to broadcast in my blog or trumpet on a Facebook page.

Here is today's story:

Subject: Statement of Fees 2008/09

Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Franklin

The attached file is named Fees-2008_2009.zip. Unfortunately, at this hour, VirusTotal reports a mere 33.33% coverage (12/36). A lot of major antivirus makers don't report this file as being bad.

And that's bad.

From: James Morgan / StandardP Inc
Subject: Job Alert From CareerBuilder Inc

Here's the whole pitch:

Dear Potential Employee You have been contacted as a potential employee who has registered on one of the Websites owned by CareerBuilder Inc.

StandardP Inc is looking to fill Entry Level Payment Clerk Positions.
Full paid training will be provided , full time and part time positions
are available. Good communication skills and responsible personality
is a plus. Second language is not necessary but a plus!

StandardP Inc is a leading provider of business process outsourcing
services including accounts receivable management, customer relationship
management, and other services.

Principle Responsibilities:

* Process all work on a daily basis as described in training and
at direction of Management.
* Process all work in priority order.
* Balance at a batch level as well as balancing the data path/directory
at EOB each day.
* Responsible to keep all pertinent back up to substantiate payment
posting as necessary.
* Responsible for organizing backup and archival information as described
in training.
* Responsible for reconciling any differences found in balancing
at a batch level as well as at EOB.
* The job can be done from your own home however employee is responsible
to be present on last day of each month for Mandatory Month End Close
at your local office.

Requirements
Qualified Candidates Should Possess:

* High School Diploma.
* Some PC skills.
* Excellent written and oral communication skills.
* Ability to work independently and in a team setting.
* Ability to uphold highest level of confidentiality.
* Ability to work in a multi-tasked environment.
* Ability to accommodate schedule as listed below.

We offer a competitive salary and comprehensive benefits package,
paid time off. If you have the background we seek and are looking
for a position in a dynamic, fast paced organization with career growth
opportunities, please submit your resume. Interested candidates only,
no third parties.
If you are interested please email at [removed]@live.com to receive
further information about the positions available and our company.

James Morgan
Direct manager
StandardP Inc

What the ad isn't telling you is that the post is for a Money Launderer, first class. Somehow, that terminology didn't make it into the job description. The same, or similar, ad for "StandardP Inc" has appeared in blog spam postings and even (temporarily, at least) in some free job posting sites.

I giggle at the line about a second language being a plus. Which language, I wonder? Russian? Romanian?

An added teehee comes from the usage of a free live.com email address. Now, that shows a class act for any company trying to hire employees.

It's easy for me to spot bogus offers like these. First of all, to suggest, as this message does at the top, that I have registered at a career-related web site is a joke. I left my last 9-to-5 j.o.b. in March of 1981—I'm determined to make a go of this independent contractor/freelance thing one way or another. Second, the messages were addressed to an address of mine that had been compromised some time ago at someone's malware-infested Windows PC. That address is circulated widely among botnet patrons. The two copies I saw came from bots in Russia and Dubai.

Other recipients, however, may not be as circumspect, especially if they are desperate for work, or looking for that work-at-home opportunity to earn some extra income. Although a mule and an ass are separate animals, you'd be the latter upon becoming the former.

Your IT department has been paid to allow us to send you these mails. Check out the results

The messages also include light grey hash-busting text in the hope of bypassing whatever spam filtering "your IT department" has installed to keep this type of crap out of your inbox.

I wasn't born yesterday, but the domain for the link was. In a double joke, the registrant used a domain registration service that doesn't reveal any information about the registrant beyond his name: SUNMM in this case. As if spammers use real info in their domain tasting scams!

No one reading this blog, of course, would believe for an instant that this spammer had greased the palms of the IT department to get past the barricades. But it wouldn't surprise me to find non-techie employees at decent-sized companies taking this at face value. They either fear or dislike the IT department. In the first case, they obey anything that has an "IT" stamp on it—fake or real—and will immediately click the link; in the second case, they'll get angry that those nerds in the IT department are getting rich off spammers, and will check out the link to see what the pitch is all about. If the spammer—the one doing the mailing, not necessarily the one selling the pills—gets paid for hits on the spamvertised web site, he wins. He now has verifiable statistics that his botnet emailing system works (delivering suckers potential customers), meaning he can pitch it to other sellers.

Many of these messages naturally arrive at servers like mine, where I am the IT department. If only they'd offer me some coin to spam me. I could use the dough, and I have Dave Null's inbox ready to receive in large quantities.

On the malware lure front, a long-running e-card scam is continuing, as the perps take over additional web sites to host their downloadable deliveries. New this morning are a couple of strange malware lure samples whose Subject: lines drop the names of—ta-da—Obama and McCain. The actual Subject: lines I've seen don't make much sense, but what else is new?

• Obama Announces for President -- In Hit Show '24'
• McCain, Obama: Cosmo Cover Also Tasteless, Offensive
• Obama Promises Change for a Nation, Change For a Twenty

The messages encourage you to follow a link to a hijacked web site, where the crooks have inserted a page named index98.html. A visit to the page automatically downloads video98.exe (for which VirusTotal shows a very high recognition rate). Whether or not the auto-download works, a visitor to the page (why are you doing that?) sees the following:

What looks like a dialog box is actually an absolute-positioned div element—a Dynamic HTML technique used by some to create content that is draggable around the browser window. Unlike a real dialog box, however, if you try to drag this one beyond the edge of the browser window, it is clipped by the browser window. In the meantime, the image of the video viewer—and that's all it is: an image—is an animated .gif image with the spinner spinning away, as if the player is "tapping its foot" waiting for the visitor to act.

What strikes me most about this page, however, is the choice of page title, which appears in the browser window's titlebar. It's either a leftover from some other campaign, or it's the final "grabber" to encourage visitors to download that malware loader...I mean, video codec.

But the email messages were about politics. As if politics and porn are somehow related....

It's possible that some of this domain name parking is being done by individuals or organizations who will set up legitimate web sites if this storm does a Katrina-esque number on the same region. Make that remotely possible.

My bet is that the parking spot owners will either try to resell the domains to legitimate organizations or the domains will be used directly by phony fund raising scams. Let any tragedy occur, and there will be plenty of scum out there trying to take advantage of generous folks who truly want to help.

Remember that there are safe places to find out where you can help. The first place I tend to look is at cnn.com, where a click of the IMPACT button (near the top right corner of the home page) will bring you lists of charities and other outlets where you can help.

Disasters such as tsunamis and earthquakes come with little or no warning. Hurricanes, cyclones, and typhoons, on the other hand, are known well in advance of potential catastrophe. That gives profiteers plenty of time to be in place to reap rewards from others' suffering.

Similar domain names for Hurricane Hanna are already being registered.

If one is wary of the overt style of phishing message—the one where there is a problem with your account, and you should log in to fix it—the shields might lower for a moment when the phishing message has a bit of indirection to it. Such is the case of one I saw this morning, which tries to lure a Capital One customer to view a message within the bank's web site messaging system. The institution with which I do online banking has a Mail section of the web site, where we can communicate with each other electronically. I believe this is fairly common. And, of course, the only way you can view such messages is by logging into the site.

The phishing message wasn't particularly professional-looking, but here it is just the same:

Note that my email client, Microsoft's Entourage for the Mac, renders hidden link addresses in plain view. Most recipients of this phishing message would just see "click here" as a clickable link, with no visible URL. Thus, even if they knew what to look for, they might not recognize that the URL is to an IP address in Poland.

Now, I've heard of outsourcing, but humongo Capital One isn't going to host its login pages at a hacked server in Warsaw.

This serves as a reminder that if you receive any type of communication purporting to come from a financial institution with whom you do business, use your established bookmark to visit the site and log in through that page.

I also go one step further—even with bookmarked pages—to make sure that the login page has the correct URL in the Address bar and the SSL certificate is in force (at least as much as the browser reveals). I perform that check for every page that requests login credentials, even accounts that seem harmless in that they don't contain much personal information. Why am I so paranoid about this? Because if a crook gets hold of any one username/password combination, there is a good chance that that combo will open doors at other sites (no, I don't have individual combinations for each freakin' site that requires a login—and it seems as though you've gotta open an account at more and more sites these days just to get basic information). It's trivial for crooks to set up robots that try your credentials at thousands of sites. All it takes is one success to expose further personal or credit card data stored on those servers associated with that username/password pairing.

It's sad that we have to concern ourselves about this stuff. But taking a What, me worry? attitude puts you directly in the line of fire from way too many Bad Guys.