The Nigerian NFL SPAM!

by Michael Seese

It's been a while since I've posted anything in the infosec or BCP space. I've been a tad preoccupied of late with that whole "author thing." But just like rainstorms bring out the earthworms, calamities bring out the cockroaches. And with the Coronavirus scare / hoopla taking over EVERYTHING, I'm sure the email below is the first of many con jobs I'll see. So I thought it would be a good idea to hold class again on SPAM Detection 101. 

Of course, this lame attempt at SPAM is so funny, it's almost beyond belief. There are so many things wrong with it. (In fact there should be a contest. See if you can find any obvious holes that I missed, and post them as comments.) 

And, yes, I realize that the image may intrude on the standard blog info to the right. But I wanted you to be able to read it. 

First and foremost, it's an easy Google search to confirm there's nobody named John Blair who plays in the NFL. 

First-and-a-half, if he's 20, he's probably not IN the NFL. And unless he was a coveted high draft pick (see point #1) he's not worth $4.6 million.

Second, he's American. I'm American. Why does he feel compelled to specify USD? 

Third, if he accessing his email, offering his largess to a random stranger, I'm gonna go out on a limb and say he's probably not in the ICU and dying.

Third-and-a-half, if I only had a "couple of days left," I'm not sure I'd take "a little time to make up my mind."  

Those are just a few of things I just see when I read emails like this. But it's second nature to me. I share this because it might not be second nature to everyone.

How about y'all? Anything else I missed, aside from bad grammar? (But, hey, he's an NFL player.... right?)

If you're looking for tips on how to avoid SPAM and myriad other infosec gotchas, pick up a copy of Scrappy Information Security. 

Stay safe!

Stay Scrappy!  

Lazy SPAM

by Michael Seese

First came self-service gas stations. Then self-service supermarket checkouts. And now, apparently self-serve SPAM, per the extortive email below. 

There's no hyperlink to click on.

No email address to write back to the Nigerian prince and claim my untold riches. 

Just vague instructions to send $700 worth of Bitcoin to some big, long string of letters and numbers.

Though I do appreciate the friendly "howdy" from Saudi arabia. 

I could imagine these guys robbing a bank. "This is a hold-up. Put your money in this bag. We'll be sitting over there."

The way I see it, there are three main problems with their tack.

1. Send Bitcoin? Um, how do I that? From Paypal? My online bank account? Seriously, I work in IT, and have no idea how to do it.

2. Or what? Did they lock up my PC with ransonware? Kidnap my dog and will force her to listen to Ariana Grande talk?  No, they claim they have dirt on me, and will show it to my friends. Which leads to...

3. If I received an email with the subject, "Wait until you see the gross thing John Doe did," I'd delete without opening it. Unless I needed fodder for another rant about SPAM. And I think I can speak for my friends when I say they're too smart to fall for it as well.

Though I've never assigned a letter grade to the SPAM emails I receive, if I were to do so, this one wouldn't even rate an E for "effort."

And if, by chance, you do get an email with the subject, "Wait until you see the gross thing Michael Seese did," you can ignore it. It's not real, or it was photo-shopped, or something.

In all seriousness, I looked through my record of posts and saw my last entry on SPAM was two years ago. And though I know I've gotten a few in the interim, it really has tailed off for me. How about you? Are you getting more or less SPAM than you were a few years back?

Pleazy SPAM

by Michael Seese

This might be the lamest spam I have ever seen. 

Let us count...

1. Subject: Give Your Fob Price  What on Earth does that mean?

2. Does anyone know anybody named "Pleazy?"

3. Or, per the first line, "pleazy" ...

4. ... who works for the Obatesk Intl Compnay Ltd

5. I saw your product on the webpage  What product? What webpage? I don't sell any products.

6. in view that we will have good business relationship with your company now and in future   Is this Yoda?

7. This is first time for us to cooperate together   No, I'm pretty sure we've done business before. I always remember illiterate customers.

The email contained a ZIPped attachment that no doubt delivers a malicious payload. 

My only lament is that Google doesn't seem to offer an easy way to report SPAM accounts. SPAM@Gmail.com doesn't work. Webmaster@Gmail.com doesn't work. If anyone knows of a good way to report SPAM to Google, I'm all ears.

Oh, and be safe out there people. 

Statement SPAM

by Michael Seese

It's been a while since I'd gotten a good SPAM. But here we are, two weeks into the new year and I received not one -- but TWO -- emails attempting to separate me from my data.

And part of the problem, as I have mentioned in the past, is that those two emails came within one minute of each other.

The emails themselves are pretty pedestrian.

"Hi there, a54fee8@michaelseese.com. Here is your statement from that well-known company, 163.com, courtesy of Elvira Wake, whose email address is the ever-so-logical meian401862ox@163.com...."

When are these guys going to come up with something new? 

As always, my friends, stay safe and smart out there.

My Résumé SPAM

by Michael Seese

It had been such a long time since I'd received any good SPAM, I'd nearly forgotten about it. But then this week...

As you can see from my inbox snippet:

 
based on the last two days, I'm a very popular recipient of résumés.

I think anyone who is not my Mother wouldn't even come close to falling for this. (Sorry, Mom.) But, let's go over a few signs.

1. Two résumés within four minutes of each other? 

2. The subject of the first two begins "Re:" OK, let's think about this. If I were a recruiter (and I'm not, of course) would I send an email to someone titled "Résumé" or "My résumé?" Probably not. So why am I getting a response?

3. If I look at one of them (they basically say the same thing) I see

 





 Wow! That looks really professional. I've got to run right out and hire Traci. That would be considered "cooperation," no?

4. The above came from the third line. I'm not sure how one gets from "obynathans" to Traci, but OK.

5. You'll notice there is an attachment. It's a ZIP file. Of course. My resume is so big I've got to ZIP it up before I send it.

As always, stay vigilant, people.

More Paypal SPAM

by Michael Seese

We all know the adage, "If it sounds too good to be true..." I know you all are too smart to fall for it, but it never hurts to reinforce.

The other day I received this.

 
On the surface, it doesn't look too bad. (Other than the fact that the Subject line looks like a billboard.)

The "From" is maxfrag.net, which is a hosting service. But why, one should ask, would a Paypal email come from there? 

 The grammar is OK. Maybe it's harmless... Then logic takes over.

Who is this?
Why is he sending me $500?
What did I do to earn it?

Therefore, we DELETE.

Be safe in the new year, friends.

On another note, this was one of my most laborious posts to create; my New Year's resolution was to learn to touch-type. And though I occasionally cheated by peeking at my fingers, I refused to revert to my old form.

How about you? Any New Year's resolutions?

AmEx SPAM

by Michael Seese

What's that old adage?

If at first you don't succeed,
try
try
try
try
try
try
try
again.

Yesterday's SPAM found 5 messages in my inbox. Today it was 7.

On the surface, the email looks reasonably convincing.

But, a few things stand out. So to give these guys the MST3K treatment:

1. The From: is a8400592e@michaelseese.com   Wait... what?

2. The To: is AmericanExpreco@welcome.aexp.com  So I'm sending an email to American Ex...preco?

3. Our records indicate that you recently used your American Express card on Novermber 06, 2014. Novermber? (Actually I didn't catch that one. But the spell check did when I pasted it in here.) OK, but this notification came over two weeks later.

4. For your security, new charges on the accounts listed above may be declined. Continuing the thought above, I've had no trouble using the card for the past 18 days. And what account listed above? Does anyone else see an account listed above? (In "fairness" to the spammers, you can see a big gap above "Dear Customer" which appears to be an image that my email program blocked. Still, if I can't see it...)

All in all, this one is pretty lame. On a scale of 1 to 10, I'd give it a D-minus.

ADP SPAM

by Michael Seese

It had been kind of quiet on the SPAM front lately. And then I got this:

As always, a few things stand out:

1. I have no reason to pay ADP.
2. The spoofed "From:" line looks normal, but...
3. The "To:" is to "undisclosed recipients." A logical mind might ask, Why is my invoice being sent o recipients, PLURAL?

Of course, my inbox was another dead giveaway.

If Shakespeare were writing in the Age Of SPAM, he probably would have said, "The lady doth protest too much, methinks."

Or not.

Stay safe out there friends. 

And remember, Black Friday (like other disasters) is one of those occasions which brings out spammers in droves.

PayPOL SPAM

By Michael Seese

It's been a while since I'd gotten a good SPAM. But his came the other day.

Hmmm.

It's from "Apple <Support@paypol.securnet>

Why "paypol?" Are the spammers worried about PayPal suing them over copyright infringement? 

(So that would be SPAM hint #1.)

It's addressed to "Dear,"

(So that would be SPAM hint #2.)

When you hover over either "Verify Now" and "My Apple ID," the URL resolves to  http://www.dopropriobolso.com.br/images/stories/2014/ree.php/

(So that would be SPAM hint #3.)

I have no idea who this website is. If I had to guess, this probably isn't a site which will load malware; they're probably just trying to nab your Apple credentials. The top-level domain .br means it's Brazil.

I won't even go into "Extend our this request."

Remember, when in doubt, stop and think.

And then, still don't click.

Be safe out there, cyber-surfers.

SPAM Tennis, Part 2

By Michael Seese

Two posts back, I recounted my adventures in the world of Singaporian (is that a word?) finance. To be exact, I had received an email from Mr. Cham Tao Soon of Chairman Audit Committee of UOB Bank, Singapore with an offer to "lay claims" to a secret account worth millions." In this case, the money belonged to Mr. Dimka Ilkovska-Boskovic, who was a member of Macedonian President Boris Trajkovski's cabinet, who perished along with the President in a plane crash.

Mr. Soon and I exchanged pleasantries, as well as sensitive documents. At the time of my last post, he was traveling on business. After a few days, I thought I would touch base, since that's what friends do. 


Dear Mr. Soon --
 
 I hope your travels have been productive. I look forward to hearing from you so that we may continue our enterprise.
 
 Warmest,
 DJ
 

He replied:


I see the phone number you give to me as yours turns out to be the fax number for Russian online visa application. Thanks for the time wasting.
Office in Moscow
 Address: 107014 Moscow, Zhebrunova Street 6, Office 117
 Phone: 7-495-505-6325
 Fax: 7-495-649-8328
 E-mail: moscow@visitrussia.com 


Wow! He checks references? Bummer. I had so many fun responses planned for his inevitable request for good-faith money. It really was going to be a tennis match. Oh well. I answered nonetheless.


 Dear Mr. Cham --

Or should that be "Sham?" Or perhaps "Scam?"

I'd hardly call it time wasting. I had a lot of fun imagining how excited you must have been to think you actually had a sucker on the line.

Tchau, mother-----r.

DJ
 

I chose the sign-off "tchau," as is it goodbye in Brazilian Portuguese. If you'll recall from the previous post, the original email came from the .br top-level domain. I was hoping that maybe, just maybe, he really was from Brazil, and would think, "How did he know...?"

A few days later I got this, in the same mailbox. (Bear in mind, my dear friend Cham was the only person who knew of it, and I can't imagine him "sharing" it with anyone.)

I think the moral of the story is obvious. If you're hiding untold illegally obtained millions, don't fly. The odds are you will crash.

I responded to this one with "Nice try, (expletive deleted)." 

Until next time crime fighters. 

 

SPAM Tennis Anyone?

By Michael Seese

Normally when I get a SPAM email, I share it in this space, give it the MST3K treatment, and move on. Also, since I work in infosec, I try to throw in a few helpful hints on detecting and investigating the email.

A few weeks ago, I got this rather mundane ploy.
 

A few noteworthy points:

- Though it's hard to see, the "From" ends with .br   That's the top-level domain code for Brazil.
- The "Reply to:" email address ends with .sg   That's Singapore. OK, he got that right.
- The email was sent to "undisclosed-recipients." Note the plural.

Initially, I discarded it. But then I got a notion to have some fun. So I created a fake email account using a free service provider -- in this case Microsoft -- and sent the following:

 Dearest Mr. Soon --
 
 Yes, this would be acceptable. Please to send all funds to
 the PayPal account associated with this email address.
 
 Best,
 DJ

Fans of revisionist literature may have picked up on my use of the dialect of Quadling Country.

He responded a little over 12 hours later. Naturally, his email went on and on. The germane points were:


Before the plane crash of Macedonia's President and his aides on February 26th, 2004, our client, Mr. Dimka Ilkovska-Boskovic, who was a member of President Boris Trajkovski's cabinet advisers, and also a business man, made a numbered fixed deposit for 18 calendar months, with a value of €105,000,000.00 EUR (One Hundred &  Five Million Euros Only) in my branch.

...
 
After further investigation, it was discovered that Mr. Dimka Ilkovska-Boskovic did not declare any next of kin in his official documentations including the paper works of his bank deposit. And he also confided in me the last time he was at my office that no one knew of his deposit in my bank. So, €105,000,000.00 EUR is still lying in my bank and no one will ever come forward to claim it. 

...

my suggestion to you is that I will like you as a foreigner to stand as the next of kin to Mr. Dimka Ilkovska-Boskovic, so that you will be able to claim the funds in question.

...

There is no risk involved at all in the matter, as we are going to adopt a legalized method and the attorney will prepare all necessary legal documents. Please endeavor to observe utmost discretion in all matters concerning this issue. Once the funds have been transferred to your nominated bank account, we shall share in the ratio of 60% for me and 40% for you. I have attached herewith a comprehensive detail of this business venture for your perusal in MS WORD.
As soon as I hear from you, I will go ahead to do the needful.

So I replied:
Hon. Mr. Soon --

To be certain, My name and address are:

Dmitri Jakov
100 Lihacheva str.
Kiev Ukraine 09355

But, since the banks in Ukraine are corrupt, please deposit all funds in my PayPal account, which uses the name dmitrijakov@outlook.com

Kindest,
DJ
 
(Yes, I intentionally gave my alter-ego a name which would make a teenaged boy snicker.)

He started asking for more (reasonable, if this were legit) info:

Before we proceed further, I will need you to re-affirm your full names, mobile number and a copy of any legal form your identification (Driver's license or International Passport). I hope you understand why I need all these, the money in question is huge, and I have to ensure that I know you well enough before I furnish you with all the details to execute this project. As soon as I get the above information from you, I will forward it to my hired attorney to commence the necessary legal paper works. 
He also added a "security code," which probably is the "Unique Sucker ID" in his database.

NOTE: that for security purpose, I would appreciate that you input this code: [UOB-X1H] in all email messages directed to me.


I googled "Ukrainian passport," and actually found an image of a (I assume) real one. I copied down the number -- changing the last digit -- and sent that along with a phone number I found. If memory serves, it was the fax number of the Kiev Tourist Bureau.

Since we're now partners and buddies, he sent me a copy of his passport, along with a link to the website of his bank. (Suffice to say, I did not click on it.)

 














He looks pretty good for a 72-year-old, don't you think?

He asked that I reciprocate with my passport. I thought, Uh-oh. What do I do now? Then it hit me. Since he (obviously) isn't who (or where) he says he is, I can use that to my advantage. I replied:

 Mr. Soon --
 
 I have mailed a copy of my document via parcel post, with necessary expediency, to your attention at the bank's address.
 
 Please let's get started.
 
 DJ

Take that!

Later that day, he answered:

    I am glad to note that you are a noble and trustworthy person whom I can rely on to handle this transaction. I have received your ID and I want you to know that I have forwarded your data to my hired Will & Probate Attorney who will put together the perfected legal paper works to be sent to my bank for the release of the funds. This should take no longer than two working Days.

Wow! The Ukraine Postal Service sure is efficient! (And kudos on the proper use of "whom.") He also sent me a copy of my benefactor's death certificate:

I don't know about you, but it almost had me fooled. And you know, purple is a nice color for death certificate.

My "friend" is traveling now, and said he'd get back to me in a few days. I suspect that it won't be too long until he asks for the de rigueur "good faith" money from me. I have my initial response, which I'm sure is the same idea that everyone who reads about some poor soul falling for one of these scams has: "Why didn't you just say, 'Please take these funds from the €105,000,000.00 EUR. That should cover it.' " I'm sure he has a stock response. I've got a few of my own.

Stay tuned, crime stoppers!

Persistent SPAM

By Michael Seese

So, if you can't entice me to click on a link to find the location of package which I know nothing about, perhaps you think you can entice me to click on a link to learn about a court action which I know nothing about.

To be honest, these guys are amateurs. Remember, one way the spammer-scum try to get you react is by adding a sense of urgency. Where is the urgency behind "You do not have to be present at trial in person if the Court does not suggest otherwise."

One the positive side, this particular message has quite an international flair. The sender is

court_secretary@marco_steindl.public2.linz.at  

Since you probably don't know, the top-level domain -- the .at at the end -- signifies Austria. 

And the link 

http://kundali.es/viewtopic.php?pretrial_notice=ll5z3UBEQr//eTzezjnOEQqUpr33frYLaEqA5L5Wt2c=.

would take me to Estonia where, as we all know, the Ohio Third District Court Of Appeals stores their sensitive documents.  (At least there is an Ohio Third District Court Of Appeals.)

And finally, similar to the last one, it would appear that multiple courts want to know that I don't really need to show up, as this is what my junk folder looks like

Too bad. I could have used a vacation to Hawaii.

Surf safe out there. 

Costco SPAM

By Michael Seese

This is the first time the folks at Costco (or grupyaglama.com, whoever they are) have written to tell me there is a problem with my delivery.

Of course, they must really want to get in touch with me. Why else would they send me two emails within one minute of each other?

Stay safe, friends. And remember, with the Super Bowl and the Oscars coming up, be on the lookout for SPAM messages touting, for example, a link to a "behind-the-scenes" video.

Despicable SPAM

By Michael Seese

Not that there really is anything such as "noble SPAM." But this one is particularly heinous.

If I could know that the "From:" was the person sending it -- as opposed to some poor soul whose credentials were borrowed -- I would have written back something to the effect of, "I hope you receive something like this when YOUR mother dies." 

(For the record, my Mom is OK. But still...)

Grrrr!

Energy SPAM

By Michael Seese

This one was pretty good.

Why it almost works:

1. With that whole deregulation thing, does anyone know who his or her energy carrier is? OK, I do, because I pay attention. But perhaps some of you...
2. There is an amount due.
3. The "bill" is conveniently past due, which creates the sense of urgency that social engineering ploys often use.

But what do we always do?

1. Look at the "From" and ask, "What does a travel company have to do with my energy bill?"  
2. Hover over the links and see that they would take you to  http://www.manresaturisme.cat/request/QnkAh1fKMq4tjKnAsiH4k4jytThymkZ3qfsr91ZMOv4=/environment   That doesn't look like an energy company.

Always be vigilant.

Holiday Package SPAM

By Michael Seese

I hadn't planned to write today. But this morning I received this.

So it bears repeating. Spammers take advantage of current events. And today, Christmas is a current event. So let us look at the "From:"

- jardata@jardata.com

And where the links take me (determined by hovering)

- http://espinosagomez.com/media/96qh1zivHlQIEfdn1O4wh4jytThymkZ3qfsr91ZMOv4=/WalmartForm

Neither of these looks like Walmart, does it?

These folks deserve coal in their stocking. No, wait.You can use coal for heating. They deserve used Kleenex.

And, seriously, my friends, have a safe and happy holiday season.

Ho ho ho!

Lazy SPAM

By Michael Seese

I think we should all step back and appreciate the Gestalt, the minimalist nature...

It must be an artistic statement. Or, maybe they're just scared of me!

WhatsApp SPAM

By Michael Seese

They say that variety is the spice of life. And I was growing wearing of the FedEx / UPS SPAMs. Then along comes this one to brighten my day.

So, junior infosec pros, what can we see right away about this little bugger?

How about:

1.The subject seems to think I have five more messages than the body does.
2. The sender is a Chinese cosmetics firm. (LAME, PEOPLE! You need to at least make the sender look believable.)
3. Hovering over the "Play" button reveals that I would venture to

http://antlitz-christi.de/lsebglb.php?iRTd3y1hfLVI1VfmlbJa7bcY+4zlC+0D6tmUcTJidYQ=

Ah, yes. Click on SPAM and see the world. First China, then Germany. (And is it just me, or does anyone else's mind rearrange the stuff between http and .de into "anti christ.")

Let's be safe out there.

Recursive SPAM

By Michael Seese

If you're a computer programmer, you've probably heard the term recursion. Good old Wikipedia defines it as:

Recursion is the process of repeating items in a self-similar way.

Specific to computer programming, they note.

Recursion is sometimes used humorously in computer science, programming, philosophy, or mathematics textbooks, generally by giving a circular definition or self-reference, in which the putative recursive step does not get closer to a base case, but instead leads to an infinite regress. It is not unusual for such books to include a joke entry in their glossary along the lines of:

Recursion, see Recursion.


Here is an email I received the other day.

I love it! A SPAM email in response to a blog post about SPAM!

How dumb do they think I am?

(Interestingly, there was no actual comment associated with that post.)

The link goes to http://infodata.school365.net/?document_srl=79995, which I'm sure is some cesspool.

Silly people!

To understand recursive SPAM, see recursive SPAM! Click to tweet.

If At First You Don't SucSPAMceed...

By Michael Seese

I'm sure somewhere or other I posted an entry lamenting / laughing at a bevy of identical SPAM emails. But this one takes the cake.

Here it (they) are:

Since it never hurts to go over this lesson, note from the bottom that the link will take me to some website out of Russia. So unless it's the Moscow bureau of the USPS... 

But what made it stand out was how they looked in my inbox:

Those postal managers REALLY wanted to get my attention. Actually, I first saw it on my smart phone, where the effect was even more pronounced.

Remember kids, if you can't beat them...laugh at them.