A piece of spam came across the abuse desk the other day hawking something called “Viagra Professional.” Just as some songs aren’t suited for elevator music, some products aren’t suited for Microsoft-style naming schemes.
Think about it: Outside the pharmaceutical industry, what *ahem* profession would have a use for Viagra?
Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?
The URL was a normal eBay URL of the form http://members.ebay.com/aboutme/_____. Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.
So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on signin.ebay.com? You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it. Continue reading
I suppose it was only a matter of time before these two genres of spam collided. Today I received a spam advertising body-part enlargement products, with a link to a site called bmsMUNGEDcommercialmortgage.info (without the MUNGED).
Apparently, getting a new mortgage is supposed to increase my ability to handle huge tracts of land.
Got an interesting phish today.
Subject: Error in your billing information
From: Keystone Savings Bank.
Hmm, Keystone, eh? 😉
Every once in a while, a comment spam manages to get past both Bad Behavior and Spam Karma. Oddly enough, it always seems to be on the same entry: “Abuse Contact” is not an invitation.
I guess spammers like a challenge as much as anyone else.
Here’s another example of randomly-generated spam somehow being appropriate:
This morning I received an image-based stock spam. The sender’s name was listed as “eye gouging.” Yes, spam does sometimes make you want to gouge out your eyes (or perhaps the spammer’s). May I recommend the Grammar Spork™ (NSFW: language) for such cases?
I just spotted a rather disturbing phishing message in (of all places) our abuse contact mailbox:
Subject: Fraud Prevention Measures
Dear customer!
Due to high fraud activity we constantly increasing security level both for online banking and card transactions. In order to update our records you are required to call MBNA Card Service number at 1-800-[removed] and update information on your MBNA card.
This is free of charge and would not affect any transactions with your card. Please note this is necessary to provide highest security level for all transactions with your card.
No HTML tricks. No links to fraudulent websites. Just a phone number.
I can only assume this is a response to high-profile inclusion of antiphishing features in Internet Explorer 7 and in Firefox 2. If there’s no website, there’s nothing for a web browser to check.
And of course by not using sneaky technical tricks in the message, it’s harder for tools like ClamAV, spam filters, or mail clients to detect.
Incidentally, does anyone else find it ironic that one of the most common phishing techniques is to exploit people’s fear of being phished?
Further reading: Anti-Phishing Working Group.
