Dissecting Spam

Not this kind of spam. Credit: Matthew W. Jackson.

Not this kind of spam. Credit: Matthew W. Jackson.

How is it that spam/phishing emails can look so convincing in some ways, but so blatantly fake in other ways? It’s always baffled me how messages riddled with ch4racter substituti0ns can look at all legitimate and worth clicking on. Phishing emails can be far more subtle and insidious–convincing enough that someone might click it in a panic without reading close, but even so, there are so many ridiculous errors that I have to wonder if they were really even trying.

For example, let’s look at a message that I received today on one of my email accounts (links and identifying information have been removed). At the top of the message, it said:

helpdesk@myprovider.com

This looks almost legitimate. It had the correct email provider and everything. But there were two problems. First, the “help” email address for this provider is help@myprovider.com, not helpdesk, and more importantly, this was given as the name of the sender, not the actual email address. The given email address was from a French engineering school. A follow-up phishing email (yes, they can be persistent) was allegedly sent from an American university. So the actual sender was wildly wrong.

Now, the subject of the email was:

Subject: System Admin Warning: Unexpected sign-in attempt‏

This looks like an IT kind of thing to say, and serious. Let’s see the body of the message:

Dear User,

On Saturday, October 20th, 2014 5:50 PM GMT+2, we noticed an attempt to sign in to your webmail account from an unrecognized device in Moscow, Russia.

If this was you, you’re all set!

If you haven’t recently signed in from an unrecognized device and believe someone may have accessed your account, please visit this link (web address omitted) to update your account recovery information. Thanks for taking these additional steps to keep your account safe.

myprovider.com WebAdmin

Uh-oh, it looks like someone tried to hack my account from Russia…on Saturday, October 20th? Today is Monday, October 20th. And that link in the email? Well, some googling shows that the web address they wrote out in the email refers to a perfectly legitimate Canadian volunteer service organization. Obviously, I didn’t click the link to see where it really went, but it definitely had nothing to do with where the message was supposed to be from, nor where the claimed email address was from.

Of course, the biggest red flag was that they (presumably) asked for personal data via a link. No legitimate email provider would ever do that.

I know I probably shouldn’t be giving the spammers ideas, but seriously, can you at least get the day of the week right and make your addresses consistent with each other? That would literally take ten seconds, and there has to be a human working in this process somewhere…doesn’t there?

Advertisements

About Alex R. Howe

I'm a full-time astrophysicist and a part-time science fiction writer.
This entry was posted in Technology and tagged . Bookmark the permalink.