Skip to main content

Now Fear This: Phishers learn to craft a better spam email

Phishers appear to be using techniques learned from the targeted advertising industry. Security professionals have long wondered why phishing emails are, in general, so poorly crafted, and why they don't use a handful of basic techniques which would undoubtedly improve their hit rate, and lead to increased revenue generation from phishing. In the "Today @ PC World blog, Erik Larkin discusses an email which alarms the PC World analysts (see: Threat Alert: Sophisticated E-mail Attacks Spread [PC World]). The email arrived with a well crafted text body which passed the usual "first glance" tests for spam or phishing: bad spelling, bad grammar, incorrect addressee name, mis-matched sender. It appeared to be a boring business email with a word document attached. Security researchers have known for many years that phishers typically don't employ a handful of techniques which would pretty clearly boost their success rates, techniques which are not entirely unknown in the related adware "industry". Today the following ideas might seem obvious, but it has only been recently that phishers show signs of interest in these techniques.
  1. Copy editing text and documents Spam and phishing emails often contain many awkward phrases and other flaws which alert the intended victim that "something is amiss". Security researchers have long suspect that the simple step of using a word processor to perform spell checking and grammar checking the text of a phishing email would significantly increase the "hit rate" because many recipients cite poor grammar and spelling as the primary tip-off.
  2. Matching the correct name to an email address for the recipient Your email might be: "" but phishers and spammers will address their email to: "Sarah <>" rather than to the obvious: "John Q. Public <>"
  3. Internal consistency within the email of the spoofed sender Spam and phishing often don't appear to be "From:" the same person who signed the bottom of the email.
  4. Using modern software development tools and techniques to target their population of intended victims Phishers often spam many millions of people with the same email. This allows anti-spam software both sufficient time and sufficient odds to capture, analyze, and block many, even the vast majority of those emails. If instead, phishers sent Wells Fargo phishing emails only to known Wells Fargo customers, then the time it takes to capture the emails goes up, and the number of potentially profitable victims (those with Wells Fargo accounts to be drained) who are reached in the critical first few days goes up, perhaps by a lot. Phishers and spammers have access to a great deal of data. They could use that data with the help of some custom software such as a web crawler, a few plugins to their existing bot, virus, and worm code, and a database, to dramatically improve their ability to target their phishing emails.
Security researchers have pondered these issues for several years. Some of these steps are relatively simple, particularly as compared to some of the technical aspects of developing and managing a botnet without getting caught. Why don't phishers employ them? The answer, it has been thought, is simply that it wasn't necessary. Phishers were seeing a high enough hit rate and making enough money using their primitive spamming techniques. Spam was cheap to send, so sending millions of spam each time didn't cost them any more than sending a hundred spam. However, the techniques above required an expensive investment in software development. Once spam filtering became good enough, it was thought, phishers would probably see a hit to their income, and find it necessary to start improving these other aspects of their phishing systems. That time seems to have arrived. The big web mail providers, with a fire lit under them by competition from Google, have finally started to get better at spam filtering. Google and others are letting their users easily flag spam that does get through, and automatically feeding that back into their spam filters, thus protecting other users from spam and phishing. This has apparently spurred some spammers and phishers to start developing more advanced techniques for targeted spamming. Those techniques will include various ways to phish for the raw data which they can use to help map to other data already in their possession or collected in other ways. Phishers already have mountains of credit card numbers, stolen in various ways online, from compromised web servers like the recent TJX / TJMaxx incident, for example, but they may lack other details which make those numbers useful. Here is one recent example of such a data phishing email, and probably related scam, which I received in my inbox this morning. It made it past a few layers of very effective spam filtering. As you can see, the spelling and grammar of the email are not bad. Native speakers of English can pick out a few minor flaws, the most egregious of which I've noted by placing the correction in [] brackets immediately following the error. In general, however, this email is better crafted than many.

Attn: American Deaf Network has several projects planned and in the process, we [in process. We] also work along side National Organizations to build safer communities for those affected in these rural areas. American Deaf Network receives donations on a daily basses from all over the world. We are seeking your assistance to work for the foundation and get paid. We do not require your full time or effort All you will need to do is to receive donations on behalf of the foundation. Donation comes in Checks and Money Orders. You will be paid a montly salary of $1,105.00. Please get back at us [get back to us] indicating your interest on making the world a better place for the deafs [the deaf]. Send us the following information to immidiately process your application. First Name. Last Name. Address. Contact Phone Make sure you send the requested information to the below email. Have a nice day. American Deaf Network 30045 Alicia Parkway #150 Laguna Niguel, CA 92677 USA]
The first thing I did upon receiving this was wonder if there was an organization silly enough to send out such an email. I thought it unlikely, but certainly not impossible. I Googled "American Deaf Network", and found only one reference to it, declaring it to be a scam, as suspected. These two examples, from PC World and above, are undoubtedly the tip of what will be an iceberg of more sophisticated and polished phishing email scams. This is a new cycle in the phishing arms race. Additional details on the "proforma-invoice.doc email can be found here: Avinti Security Briefing: Proforma Invoice [].

Technorati Tags: , , , , , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber