Archive for the ‘spam’ Category

Several coworkers and I got the same scam email this morning. The message body is attached below. It’s sneaky in its simplicity. There is so little content that the spam filters have nothing to work with – there’s little that a computer can use to differentiate this from a thousand similar but legitimate business emails.

There are a few clues for you as a human reader to look for, however.

  • The greeting line is generic – “Dear Employee” rather than “Dear Mike” or “Mr. Rossander”.
  • The From address is an odd or at least a non-corporate address (redbran@galleryfifty4.com).
  • The link is spoofed. That is, it appears to point to a legitimate careerbuilder.com page but when you float over the link (or right-click and look at properties), it is actually pointing to swc.com.ua/resume.pdf.
  • The spoofed address is in the Ukraine (the .ua part of the address). Careerbuilder is an international company but to the best of my knowledge, they do not have any servers there. And none likely to be handling english-speaking matters.
  • Do you even have an account with Careerbuilder? They are a legitimate company and I did have a resume on file with them once but several of my coworkers did not. The age since my last contact with the company was a clue for me – the complete lack of prior relationship a better clue for my coworkers.

spoof careerbuilder email

Unfortunately, there is no guaranteed way to block these scams. The best we can do is delete them and move on with your day. In the meantime, remember that it’s not paranoia when they really are out to get you.

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping – and much more convenient. If you don’t take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven’t already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It’s well worth the time to visit the site.

The site’s material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I’ve run across. I’ll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

Spam filters are getting better every year. They have to so they can keep up with the ever-increasing flood of spam. But no matter how good the filters get, some spam will always leak through. More worrying, some fraction of good messages will be inappropriately tagged as spam and lost. And depending on how your respective spam filters are set, your reader may never even know that the message was attempted nor you that the message was rejected.

A while back, we wrote a tip about "how not to look like a phish". I’ve wanted to write the companion article about not accidentally tripping the spam filters for several years now. I resisted because the rapid change in spammer tactics makes any list obsolete even before it hits the page. It will also never be a definitive list – the anti-spam vendors are justifiably worried about giving the spammers a roadmap showing how to bypass their filters. Nevertheless, there are some general rules worth discussing.

  • Your subject line is important. A blank subject line (or, worse, a subject line that is ambiguous and generic like "Hi" or "I love you") will almost certainly get your message tagged as spam. A good subject line is also a courtesy to your readers, helping them to more quickly prioritize their inboxes and give your email the attention it deserves.
  • Mailing to lots of people at once will increase the odds of being tagged as spam. (This is a problem for the publishers of legitimate email newsletters with large distribution lists like, say, these tips.)
  • Use a company-issued email address. Sending from a free email account like yahoo.com or gmail will increase the odds of getting tagged.
  • Avoid common spam words like "cheap" and the V- word (rhymes with the famous waterfall). That sometimes means completely avoiding certain topics (which can be quite difficult, especially in a newsletter like this one where we are discussing spammer tactics) but more often means avoiding flowery, inflammatory or overly-promotional language. In particular, avoid all caps and multiple exclamation marks.
  • Avoid images, fancy graphics and html code in your email. Hackers and spammers hide things in those glossy "enhancements". The simpler your message, the more likely it is to get through unmolested.
  • SPELL-CHECK! Spammers are getting much better at the use of grammatically correct English but bad spelling is still a surprisingly good filter for spam.
  • If you are sending a newsletter, always include your real contact information and a working set of “unsubscribe” instructions at the bottom of the message. This won’t actually help you get past the spam filters – too many spammers just include fraudulent unsubscribe options in their messages – but it is the law.
  • Try to keep your message under two megabytes including embedded pictures and attachments. This isn’t strictly a spam-filtering rule but many mail servers use a 2 meg/message limit to keep any one message from tying up the lines.

Finally, if you don’t get an answer in a reasonable amount of time, follow up on your message. No matter what you do or how good the filters get, some false positives will always exists. The person might be ignoring you but it’s more likely that they never got the message.

For several years now, we’ve been telling everyone that email is a postcard – everything in the message is exposed to anyone who wants to read the message as it flashes by. A couple of companies have figured out how to solve this problem and their solutions are finally hitting critical mass. If you have a secure mail solution, you can finally put your message in an ‘envelope’ and keep outsiders from reading it.

The problem is that we’ve also told you as a reader to delete any message that appears suspicious or that asks you to click through some “convenient” link. The ‘envelope’ around a secured message looks a lot like a phish. (See “How it works” below.)

Here are some tips on telling the difference between a secure mail message and a spam or phish.

  • In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
  • Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
  • A legitimate message will take you to the sender’s website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
    Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only ‘westfieldgrp’ matters for verifying the legitimacy of the message. The rest is set up by the company’s IT department to point to specific places within the company’s domain.
  • Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like “URGENT” and “log in now or your account will be closed”. If the language seems inflammatory, be suspicious.

If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There’s a fair chance they are legitimate and you wouldn’t want to lose good messages.

How it works
There are several ways to put your message in the secure ‘envelope’.
One technique doesn’t actually put the content in email at all. What you really send is a placeholder saying “You have a message waiting. Please sign in at my website to read it.” The message content stays on the sender’s webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can’t be read except by someone who knows the password. (If you don’t already have a password set up, you will be asked to verify your identity and create one.)

A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can’t be easily mistaken for a phish so we won’t discuss them in this tip.
An example of that second kind of ‘envelope’ – the encrypted attachment solution – is shown below.

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can’t they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money. They are organized, well-educated and they’re making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement’s ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that “If you rob a 7-11 you’ll get a much harsher punishment than if you stole millions online.”

And even if the hacker can’t make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer’s processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don’t even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.