If I Were a Spammer
Fraudulent e-mail offers lessons, and not just in swindling techniques.
Fraudulent e-mail offers lessons, and not just in swindling techniques.
I get a lot of spam, the vast majority unimaginative stuff that sees the trash as fast as I can tap “delete.” Yet occasionally something unsolicited, unwanted, perhaps even unlawful will get my attention. Over the past several months, a few email messages landed in my inbox that I would like to nominate to the fraudulent email hall of fame. Those behind the messages were quite smart and creative. In fact, if fraud had been my calling, they might have given me ideas about how to fool many an unsuspecting soul. Here are three of them:
What did the email messages above have in common? They were clever, well-executed fraudulent attempts at stealing my personal and credit card information.
EarthLink runs from EarthLink.net (not .com). At press time, EarthLink.com looks identical to EarthLink.net. Yet, according to the real EarthLink, it’s a complete hoax, an illegal copy of the EarthLink site set up to help steal information from unsuspecting victims. The email seems to feed the information to Korea (.kr). The salutation at the end, “Trully yours,” was a bit of a giveaway and might cause the recipient to become suspicious. Then again, do people read their email that carefully these days?
To make matters worse, I forwarded the spoof email to the company’s abuse desk. I received an immediate and predictable autoresponse telling me there was not enough information in the message to determine whether it was spam. The message then proceeded to tell me EarthLink had probably already received complaints about this message (assuming it was just regular spam). At the bottom, there was another address to which I could forward my message to have a human being take a look.
A human responded the next day, saying, yes, this was a hoax. In fact, two days after receiving the original, I received a message — ostensibly from Garry Betty, EarthLink CEO — warning all EarthLink subscribers about the hoax and pointing at some useful resources.
But here’s the clincher. The same day I got the message from Betty, I also received one from [email protected] with the subject: “EarthLink Subscriber Alert: Credit Card Expiration.” Impeccable timing! It informed me my credit card on file had expired and please return to the site to update my information. This one was authentic, but how would I know that?
The Visa and PayPal spoofs were even cleverer. They pulled all the images (logos and screenshots) from the Visa and PayPal Web sites, respectively, but the Web forms included in the messages themselves went to an illegitimate server somewhere. The brilliant twist on these messages was they played on security fears to defraud and breach security. It took some “level-two forensics” to even technically establish these were intended to defraud. A quick look at the messages and their HTML code did not make it immediately apparent they weren’t legit.
I have no sense of how many people fell for these clever hacks, but I have to believe it was more than a few. This advanced spoofing phenomenon even has its own name: “phishing.” These attacks could be the single biggest threat spam has posed to legitimate online commerce to date. Yes, those mortgage ads are annoying and the pornography offensive, but this is different. This makes people think three times before clicking on links in legitimate email or even entering credit card information on a Web site. How do I know this email is from a legitimate source? How do I know this Web site is, in fact, representing the company it says it is?
In a July 22 CNN article reporting on this phenomenon, the writer advises how to avoid becoming a victim of a phisher scam. Here are two of the five tips:
It is not uncommon that a company doing commerce online makes 10 to 30 percent of its revenue directly from email marketing programs. Advising people not click on links in commercial email may be a logical conclusion, but it’s not practical.
This problem can only be solved if we make a structural change to email. As long as it’s laughably easy to forge one’s identity in an email, the medium will continue to be insecure and vulnerable to the kinds of attacks. As I argued in a recent column, we must, and can, evolve the email infrastructure to include support for true authentication. If you have to deliver proof of identity to deliver a message, it becomes a lot harder to hide and therefore a lot harder to commit fraud.
In the meantime, let’s make a concerted effort to educate consumers about this problem. I urge any organization using email to communicate with its customers to proactively reach out and inform them of the phisher phenomenon. Offer suggestions for what to do if they think they may have received one. (Here’s part of what EarthLink has done.)
People must know they should never fill out a form asking for sensitive personal information in an email. They also need to know where to report a suspected fraudulent message. Let’s just agree to dedicate [email protected] to be the forwarding address for these things. We’ve gotta fix this one or people could very quickly decide they no longer want to risk entering their credit card information in Web forms. It goes without saying that would be very bad.