Saturday, June 16, 2007

Now Fear This: Phishers learn to craft a better spam email

Phishers appear to be using techniques learned from the targeted advertising industry. Security professionals have long wondered why phishing emails are, in general, so poorly crafted, and why they don't use a handful of basic techniques which would undoubtedly improve their hit rate, and lead to increased revenue generation from phishing. In the "Today @ PC World blog, Erik Larkin discusses an email which alarms the PC World analysts (see: Threat Alert: Sophisticated E-mail Attacks Spread [PC World]). The email arrived with a well crafted text body which passed the usual "first glance" tests for spam or phishing: bad spelling, bad grammar, incorrect addressee name, mis-matched sender. It appeared to be a boring business email with a word document attached. Security researchers have known for many years that phishers typically don't employ a handful of techniques which would pretty clearly boost their success rates, techniques which are not entirely unknown in the related adware "industry". Today the following ideas might seem obvious, but it has only been recently that phishers show signs of interest in these techniques.
  1. Copy editing text and documents Spam and phishing emails often contain many awkward phrases and other flaws which alert the intended victim that "something is amiss". Security researchers have long suspect that the simple step of using a word processor to perform spell checking and grammar checking the text of a phishing email would significantly increase the "hit rate" because many recipients cite poor grammar and spelling as the primary tip-off.
  2. Matching the correct name to an email address for the recipient Your email might be: "" but phishers and spammers will address their email to: "Sarah <>" rather than to the obvious: "John Q. Public <>"
  3. Internal consistency within the email of the spoofed sender Spam and phishing often don't appear to be "From:" the same person who signed the bottom of the email.
  4. Using modern software development tools and techniques to target their population of intended victims Phishers often spam many millions of people with the same email. This allows anti-spam software both sufficient time and sufficient odds to capture, analyze, and block many, even the vast majority of those emails. If instead, phishers sent Wells Fargo phishing emails only to known Wells Fargo customers, then the time it takes to capture the emails goes up, and the number of potentially profitable victims (those with Wells Fargo accounts to be drained) who are reached in the critical first few days goes up, perhaps by a lot. Phishers and spammers have access to a great deal of data. They could use that data with the help of some custom software such as a web crawler, a few plugins to their existing bot, virus, and worm code, and a database, to dramatically improve their ability to target their phishing emails.
Security researchers have pondered these issues for several years. Some of these steps are relatively simple, particularly as compared to some of the technical aspects of developing and managing a botnet without getting caught. Why don't phishers employ them? The answer, it has been thought, is simply that it wasn't necessary. Phishers were seeing a high enough hit rate and making enough money using their primitive spamming techniques. Spam was cheap to send, so sending millions of spam each time didn't cost them any more than sending a hundred spam. However, the techniques above required an expensive investment in software development. Once spam filtering became good enough, it was thought, phishers would probably see a hit to their income, and find it necessary to start improving these other aspects of their phishing systems. That time seems to have arrived. The big web mail providers, with a fire lit under them by competition from Google, have finally started to get better at spam filtering. Google and others are letting their users easily flag spam that does get through, and automatically feeding that back into their spam filters, thus protecting other users from spam and phishing. This has apparently spurred some spammers and phishers to start developing more advanced techniques for targeted spamming. Those techniques will include various ways to phish for the raw data which they can use to help map to other data already in their possession or collected in other ways. Phishers already have mountains of credit card numbers, stolen in various ways online, from compromised web servers like the recent TJX / TJMaxx incident, for example, but they may lack other details which make those numbers useful. Here is one recent example of such a data phishing email, and probably related scam, which I received in my inbox this morning. It made it past a few layers of very effective spam filtering. As you can see, the spelling and grammar of the email are not bad. Native speakers of English can pick out a few minor flaws, the most egregious of which I've noted by placing the correction in [] brackets immediately following the error. In general, however, this email is better crafted than many.

Attn: American Deaf Network has several projects planned and in the process, we [in process. We] also work along side National Organizations to build safer communities for those affected in these rural areas. American Deaf Network receives donations on a daily basses from all over the world. We are seeking your assistance to work for the foundation and get paid. We do not require your full time or effort All you will need to do is to receive donations on behalf of the foundation. Donation comes in Checks and Money Orders. You will be paid a montly salary of $1,105.00. Please get back at us [get back to us] indicating your interest on making the world a better place for the deafs [the deaf]. Send us the following information to immidiately process your application. First Name. Last Name. Address. Contact Phone Make sure you send the requested information to the below email. Have a nice day. American Deaf Network 30045 Alicia Parkway #150 Laguna Niguel, CA 92677 USA]
The first thing I did upon receiving this was wonder if there was an organization silly enough to send out such an email. I thought it unlikely, but certainly not impossible. I Googled "American Deaf Network", and found only one reference to it, declaring it to be a scam, as suspected. These two examples, from PC World and above, are undoubtedly the tip of what will be an iceberg of more sophisticated and polished phishing email scams. This is a new cycle in the phishing arms race. Additional details on the "proforma-invoice.doc email can be found here: Avinti Security Briefing: Proforma Invoice [].

Technorati Tags: , , , , , , , , , , , , ,

Friday, June 15, 2007

Identity Theft with a happy ending, sorta.

The San Francisco Chronicle has an interesting tale describing how identity theft victim Karen Lodrick recognized a woman who had been using her stolen identity in line at a Starbucks. She called 911 and pursued the woman, who was arrested, tried, convicted, and sentenced to time already served (44 days) plus probation. I'm curious about one of the details, however. Ms. Lodrick and apparently the police believe that her identity was stolen when the perpetrator stole unsolicited bank cards which "she had not requested". Were these unsolicited accounts? Probably not. They are described as "debit/credit cards" and other details of the story indicate that the cards were used to extract cash (or equivalent) from her accounts. Banks routinely send renewal cards to account holders. The term "unsolicited" in this context is typically not used to describe this situation. If the bank sent her a debit/credit card for an account that she didn't want such a card for, then the bank needs to evaluate its policies.

Technorati Tags: , , , , , ,