“Spam e-mails? No thanks, that’s what the Junk/Spam Folder is for” – and that’s the end of that chapter.

But did you know that spam e-mails constitute to 60-70% of all e-mails sent within a year? Furthermore, some of these e-mails are able to find their way into the Inbox folder of e-mail accounts; victimising users.

There are many types of e-mail spam, but there are two types which are seen as highly dangerous: Phishing and Backscatter e-mail spam.

What is a Phishing E-mail?

The purpose of a phishing e-mail is to impersonate a highly recognised organisation that you are likely to be associated with. By using these forged e-mails accompanied by fake websites and documents, they aim to persuade you to submit your personal details with the incentive of security and verification. However, some take another form; where you are lured into sending your personal details to obtain something of value without the corporate forgery element. Instead, it may take the form of a person or a make-believe company.

These e-mails can alternatively morph into backscatter e-mails…

What is a Backscatter E-mail?

This is a much more thorough effort of forgery – where a user forges an e-mail to be ‘bounced’ back (bounce message) to the e-mail account of the impersonated user. To give you more of an understanding, I’ll briefly explain what a bounce message is.

Whenever you send a message to an e-mail address only to find out the e-mail account no longer exists or does not accept messages from your e-mail domain (for some reason or other), you are sent back an “Unable to be delivered” message along with the message that was sent itself. This message is called a bounce message. So how do spammers use this to their advantage? The impersonator sets the ‘return to’ e-mail for the bounce messages to another e-mail address – this can be done through a virus itself to confuse the mail server. They then send their ‘e-mail’ to a reel of e-mail addresses and then lets the ‘magic’ happen. Interestingly, this can be done in bulk and is a simple way to send viruses, malware and worms via e-mail and can also be used to ‘phish’ information. But, mail servers are getting better at identifying if an e-mail address has been forged.

Weak Phishing E-mails

But enough with all the boring yet relatively interesting information. Although there is an astonishing amount of these types of e-mails sent a day, a lot of these spam messages fail to be strong enough to fulfil their purpose. So let’s take a look at a few examples of these received via a yahoo e-mail account:

 

PayPal

example-1

Translation:

Dear Customer,

We’ve received a request to reset the password associated with your account from an unrecognised device.

Location: Germany (IP=217.610.92.24)

Note: The location is based on information from your Internet service or wireless provider

Was this you? If so, you can disregard the rest of this email.

If this wasn’t you, please follow our verification process to protect your account information from potential future account compromise:

What you can do to minimise fraudulent transactions?

  • Download the attached document and open it in a secure browser .

 

  • Follow the verification process to protect your account

 

Sincerely,

There has been quite a good use of professional vocabulary, and the e-mail looks official enough (although, I have deliberately not opened the images on the page); but where the e-mail fails is at the point of having a user download an HTM file as an attachment in order to verify the details of an account – under no circumstances would Paypal (or any other site for that matter) require you to verify using this method – and most individuals would expect a verification link to be present in the e-mail itself. So, all I have to say is: if they can’t hack the site they are impersonating to create a page to feedback information to another destination and instead create an HTM file, they’re going to have a very low success rate with whatever they are trying to do.

 

Barclays

example-2

Translation:

We are sorry to inform you that your online account has been temporarily limited.

A large number of failed login attempts have been recorded in your account as a security measure had to temporarily limit your account.

To restore your account we have attached a form to this email, please download and complete the form.

After completing the form, within 24 hours you will be called by one of our operators to confirm the data sent.

 Warning: For security reasons we recommend you open the Internet Explorer browser.

 If you choose to ignore our request you risk your account being suspended indefinitely.

We apologize for any inconvenience this may have caused.

Honestly, BARCLAYS Security Department.

We advise that you keep this email for future notifications. (E-mail ID: 3827552)

Note: If you have received this email in SPAM section please add to your address book secure@barclays.co.uk

© Copyright Barclays Bank PLC. 2013- All rights reserved

This is an example of using the backscatter method – possibly for harmful reasons or to steal information from a user once again. In this instance, the e-mail has been written reasonably well, however, they’ve forgotten one major element to assist with readability: formatting. Bolding words such as “warning” and line breaking on appropriate sentences e.g. “Honestly, BARCLAYS Security Department.“ (Oh, and no one uses “Honestly” as a valediction!) could have improved the success rate of this e-mail. They’ve also forgotten what most people do when their back accounts have possibly been compromised… they give the bank itself a phone call!

 

Yahoo

example-3

Translation:

We noticed your account is open in one other location with network IP address (200.1.2775) Click here to logout the account from your mailbox and block the IP, from login in again from the address.

Firstly, let’s pay attention to the instances of grammatical errors. Although there are only 2, in an e-mail as short as the above, this is quite a generous volume. Now let’s look at the purpose of the e-mail; the sender is attempting to persuade the recipient to click on the link within the e-mail (with a good use of call-to-action anchoring). However, most e-mail alerts would include an indication of “where” the login was made in addition to the IP address – but some individuals would ‘trip up’ on this and could have recently logged in at another location. But finally, the real fails are 1) an alert would be sent to one account rather than multiple, 2) If this e-mail was from the mail server of the account, it would not find itself into the junk mail folder. There’s clearly no sound coming from this alert.

 

Mega Jackpot Lottery

example-4

Translation:

YOUR E-MAIL ADDRESS WON THE MEGAJACKPOT LOTTERY.

We wish to congratulate you over your email success in our computer balloting sweepstake held on 10th August 2013. This is a millennium scientific computer game in which email addresses were used. It is a promotional program aimed at encouraging internet users; therefore you do not need to buy ticket to enter for it.

Your email address attached to ticket star number *344401* Ref. N?: 5K4/WXV/141/09/12/TR, Batch. N?: EUST/0713/598/408/78 drew the Uk Mega Jackpot International Lottery lucky numbers 8-12-13-90-65 which consequently won the draw in the Second category. You have been approve for the star prize of £1,000,000,00 GBP (One Million British Pounds).

You are advised to keep this winning very confidential until you receive your winnings. This is a protective measure to avoid double claiming by people you may tell as we have had cases like this before, please send your Full Name, Home Address, Age and Mobile Tel Number for processing of your winning fund.

Once again congratulations.

Best regards,

Mrs Vivian Lugard

Mega Jackpot coordinator.

This example is quite similar to the ‘old’ annoying banners on websites which tell you “Your IP has won a huge amount of money – click here to claim”. Shall we begin the critique of this e-mail?

The tone of the message is very similar to a person writing a letter, speaks English as a second language and is still in the stages of grasping it. Consequently, they are attempting to sound as professional as possible with a few slip-ups e.g. it is very possible that where the sender wrote the word “scientific”, s/he intended to say “specific”. But the main fails here are as follows. Firstly, the millennium happened 12/13 years ago, secondly, the sender contradicts the target locations of the competition by calling it the “Uk Mega Jackpot International Lottery” and finally, the capitalisation of the details to be send back is quite an obvious ‘copy and paste’ job. So err… nice “computer game” guys!

 

Hello From “Miss Confort”

example-5

Translation:

Hello

My name is Miss Confort Amaruda i was very happy when i saw your profile today during my research and it really attract me alot i believe you are the one i have been searching for to share my love and my good interest with. How is your health? i hope all is well with you. I believe we can move from here .by knowing each other too well. But you have to understand that distance, age and color dose not matter what matters is the true love and understanding, in my next e-mail to you i shall include my photo. i will be waiting for your email reply for further introduction. Bye my love.

Miss Confort Amaruda.

Love at first sight! Well, not really.

This is an example of a message designed to break down the ‘stranger barrier’ in another attempt to obtain personal information from the account holder. This is much more of an emotional approach but is still quite impersonal and brief on the specifics. Take the first sentence for example – “she” mentions a profile that “she” saw of the account holder; was it a Facebook profile? Dating profile? Yahoo profile (although almost no one actively uses that feature on Yahoo!)? It may have been a more effective statement if the sender took a chance and “guessed” a type of profile the recipient owned and proceeded to mention that in the e-mail. Furthermore, taking this message as a whole, this e-mail is a bit too ‘forward’ for an introduction. By using phrases like ‘I believe you are the one’ and ‘bye my love’, the sender is literally “jumping” over the barrier rather than breaking it down – and no one likes to have strangers on their territory or past their personal perimeter. So Miss Confort, to be honest, I don’t think this is going to work out; it’s not me, it’s you….

 

Short and Simple

example-6

Translation:

I have a confidential business worth 24.5 Million US Dollars for you to handle for me. Kindly reply via leung.w70@gmail.com

“Forget beating around the bush – let’s get straight to the point.”

And just like the message, I’m going to keep this critique short and simple:

  1. No description of the ‘confidential’ business (and is more than likely to be illegal).
  2. ‘24.5 Million US Dollars’ with no catch? Hmmm…
  3. Why has the e-mail arrived from one account; and the user is required to e-mail to another account?
  4. If it’s just for one person to handle, then why has the e-mail been sent to multiple accounts?
  5. No names mentioned or valediction.

 

Telex Copy

example-7

Translation:

Good day,

Your client has instructed us to make the following payment to your account. Please kindly check and confirm that the bank details are correct. The funds should be in your account within 3 working days. Also check it up from your bank and let us know by return email.

Thank you for the patience with us.

Regards

Account officer

 

This final example has to be the best attempt and at the same time, a pointless effort towards obtaining personal information.

I will not go too in depth, but for those who don’t know what Telex is – it is best described as a teleprinter system which is commonly used for billing. The days of Telex machines are numbered and they are only ever used internally within companies, or in places in Africa where this is seen as the most reliable network technology to use. Anyway, let’s look at the flaws of the message.

The first and most obvious is the mention of a ‘client’, but a lack of ‘name’ included.  The likelihood that the recipient has e-mailed a client through a non-company domain e-mail address is extremely low – unless they are going for the “minimalistic professionalism” approach. The second issue is the anonymity of this e-mail. Once again, there is a lack of introduction by including a name in the message and furthermore, there is no indication of the organisation they may be from. At this point, the least the sender will have received is a reply consisting of drilling questions. And aside from the grammatical errors again, no one titles a PDF with a money figure – usually because it significantly reduces the probability of the recipient opening the PDF and taking it seriously. In conclusion, there will be no developments with this e-mail.

Final Point

The sad thing is there are a number of people who have no knowledge that this occurs and are gullible enough to fall for the traps. However the power of the internet is helping us all to be aware of any of the latest methods for attacks in the best way – through exposure. But this also means that the attackers themselves are also finding various other ways to obtain what they want. In fact “Phishing” is now slowly moving to “Vishing” where scammers impersonate banks and other significant/authority services via telephone in order to obtain personal information. Remember the types of information you would typically be asked for by those who have your information. And when in doubt that a service is legitimate, find another point of contact to double check that it is a genuine enquiry from that service.