Fundamental Spam Tricks Stay the Same

Written by Paul Cunningham on June 10, 2009

cardsAbout once per day I will glance in the spam folder of my email just to see if any important business items have been incorrectly marked as spam.  Sometimes I will go a step further and open one or two spam messages just to see what spammers are up to these days.  The spam that I looked at today was interesting in that it contained no tricks or techniques that haven’t already been used for many years.

Spoofed Sender Addresses

An inherent weakness of the SMTP (email) protocol is that the email address of the sender is not verified or authenticated.  During an SMTP session the “RCPT from:” command specifies the “From” address for the email, and the sender is free to specify anything they like here.

This has resulted in the problem of emails claiming to be from such addresses as support@paypal.com to trick the recipient into trusting the message contents.  This has also led to other problems such as backscatter, in which the genuine owner of a spoofed email address receives all of the NDR’s and “bounce backs” that spammers cause.

Spotting a spoofed sender address requires looking at the message headers.  This is something that most email users would not consider doing, nor would they even know how to do it.  Furthermore, some web based email services make it impossible to inspect full message headers using their web interface.

Because spoofed sender addresses will fool all but the most savvy email users they are best defended against with a good quality anti-spam system.

Fear, Urgency, and Call to Action

Spammers are similar to legitimate marketers in that they are trying to get a person to take a desired action.  Of course the key difference is that spammers are malicious criminals, and genuine marketers are not.  However because their goal is essentially the same many of their tactics are also the same.

Most phishing scams will use fear to spur the target of their scam into action.  In a recent spam email I received this came in the form of a bank account warning.

“We recently have determined that different computers have logged into your Internet Banking account and multiple password failures were present before the logons.”

If the spammer is successful in causing fear, the next step is to communicate urgency.  Much like the department store sale that is “one week only!” the spammer uses a deadline to try and cause an urgent response before any thought can be given to the validity of the message.  In the case of my bank phishing scam the same date as the email was sent was specified as the deadline.

“If this is not completed by June 9, 2009, we will be forced to suspend your account indefinitely as it may have been used for fraudulent purposes.”

The fear is reinforced by the stated consequences of inaction.  Account suspension sounds plausible because mainstream media regularly reports on internet banking fraud and identity theft.  Now that the victim is sufficiently scared and willing to take immediate action the spammer presents the last piece of the phishing scam, a clear and simple call to action.

“To confirm your banking account records click on the link below.”

The link will typically take the victim to a web form that uses logos and visual styling for the bank in question where they willingly submit their banking username and password.

Because these classic marketing techniques are still effective against many people the best defense is a spam content filter that will detect and block these types of phishing attempts.

Phishing Wrapped in Authenticity

Although there is still a long way to go when it comes to end user education about spam, the overall awareness is slowly improving.  Because of this spammers take a little more care when attempting phishing scams so as to avoid alerting a victim that they have just been scammed.

For example, in the bank phishing scam I mentioned earlier the email uses logos and other branding to make it appear authentic.  Also, the link to the website to collect usernames and passwords looks like a HTTPS URL, but actually goes to a different HTTP address.  Many people would think to check that the link starts with https://, but not verify that it actually took them to that web address once they clicked on it.

In one recent Paypal phishing email almost the entire contents of the email were entirely genuine.  The sender address was not spoofed, rather it was simply sent from a domain name that included the word “paypal” in it.  All of the images used in the email came from Paypal and eBay servers, and the included warning not to provide your password even linked to the real Paypal’s FAQ page.  The only obvious red flag was the form embedded in the message from a remote server in Switzerland, which was only able to be determined by inspecting the HTML source of the email message, something most email users would not think to do (and again, is made more difficult by the interface on popular web based email services).

When 95% of an email is authentic looking, and the other 5% is only going to be spotted by a savvy user, the best defense is an anti-spam system that will detect and block the message before it is received by the spammer’s target.

Humans Are Still Easily Tricked

The common element of the spam techniques mentioned above is that they are still very effective against regular people despite being used for many years.  I do not foresee a time in the future when the majority of email users are savvy enough to spot every spam or phishing message that arrives in their inbox.  Now and for a long time ahead of us there will remain a strong need for effective anti-spam systems to protect email users.

About Paul Cunningham

Paul lives in Brisbane, Australia and works as a technical consultant for a national IT services provider, specialising in Microsoft Exchange Server and related messaging systems.
  • (required)
  • (required)