Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Exploit Kits Have Changed Spammers' M.O.

Posted by timothy on from the if-you'd-like-to-continue-say-your-password dept.

An anonymous reader writes "Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined. Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit. According to them, the phishing messages of today have far less urgency and the message is implicit: 'Your statement is available online'; or 'Incoming payment received'; or 'Password reset notification.'" One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now. "I send you this file in order to have your advice" was funny, because it stuck out.

37 comments

  1. Copywriting by Anonymous Coward · · Score: 5, Interesting

    "One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now"

    At least in the '419-style' scams, research from Microsoft implies that the bad English is, at least in part, deliberate. It's obvious enough to 'smart' people that they won't bother responding (and therefore tying up the spammer's time trying to extricate their funds/credentials/whatever). However, less-savvy people might not realize it's a scam and therefore follow the links. As a result the hit rate of people who do respond is likely to be higher, resulting in a better yield for the scammer.

    1. Re:Copywriting by stillpixel · · Score: 5, Insightful

      I suppose that technique would boil down to basically use the grammar most likely used by the persona you are targeting much like in advertising. So if you are targeting people less educated or computer savvy, then use poor grammar and misspell words.

    2. Re:Copywriting by The+Mister+Purple · · Score: 1

      Exactly.

      I leave this comment because I am out of mod points, otherwise I would mod you up.

      --
      "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." Feynman
    3. Re:Copywriting by interkin3tic · · Score: 1

      How much time does it take to verify someone's information in the Nigerian prince scheme? I thought it was "Send me your bank account info" and if you sent them something else, they'd just ignore it. I'm surprised research indicates they'd save much time filtering out the smart people.

    4. Re:Copywriting by N0Man74 · · Score: 5, Interesting

      They are different attack vectors with different goals. Phishing relies on confusing a fake organization for a legitimate one. The more authentic and professional looking the better. Even a non-gullible person might fall prey to some of these sites (especially when more people are viewing e-mails on their phones and phones make it MUCH harder to see the tell-tale sign of a bad link).

      When all you need is log-in information, or a bit of personal information, the more legitimate looking the better. You don't care if the person is gullible or not, because you are asking less of them. You set up a web server and just collect data with no need for human interaction with the visitors.

      The Nigerian scams need people that are more gullible because those scams require more human time investment (and direct interaction) on the part of the scammer, and a greater amount of gullibility for their prey (since it also involves them sending money, not just filling in a form).

    5. Re:Copywriting by Anonymous Coward · · Score: 0

      I like the irony when someone talks about "better English" and "Copywriter" in the same sentence.

      What is copywriter anyway? Is it a misspelling of Copy Right changed into a noun?

    6. Re:Copywriting by lgw · · Score: 0

      What is copywriter anyway? Is it a misspelling of Copy Right changed into a noun?

      A copywriter writes "copy" (material that will be copied). The normal implicaiton is "advertising copy", but it could be any short text, really.

      A copy editor does what an editor once did: edit text for style and consistency, and of course simple errors ("editor" means something closer to "producer" these days).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    7. Re:Copywriting by Anonymous Coward · · Score: 0

      "They are different attack vectors with different goals"

      They are, but you can extrapolate a similar reasoning. The current attack vector isn't as much getting people to click a link and fill out a web form as much as getting them to open a file attachment. Most current browsers include some kind of phishing attack detection/prevention and I would suspect the usable lifetime of a phishing web site to be diminishing.
      So, in the same way that 'smart' users would know not to follow a link or fill out a form, they're also less likely to open an attached file, and they're more likely to be running AV software that prevents their machine from getting infected or are running an OS that wouldn't get infected anyway. Therefore the bad grammar still helps filter/focus their response rate to people who are more vulnerable.

    8. Re:Copywriting by Anonymous Coward · · Score: 0

      I send you this post in order to give your advice. Philadelphia Experiment Read It Seven ... Software Patents gone bad Flatulence is common problems affects everyone at some time or other. Sandoz Pharmaceuticals' levoflox will fix it quick. Buy here now, Google bad. Microsoft good. Tech

    9. Re:Copywriting by 1u3hr · · Score: 1

      At least in the '419-style' scams, research from Microsoft implies that the bad English is, at least in part, deliberate

      I don't believe that. It may be successful, but there is no evidence it's deliberate. This idea it's actually designed to sound dumb to target likely prey is pure conjecture. More likely it's just evolved -- just by cutting and pasting text that has worked in the past without any more analysis than that.

    10. Re:Copywriting by Zontar+The+Mindless · · Score: 1

      The text of news stories is also referred to as "copy".

      --Former writer of radio ad and news copy*.

      (*Sometimes it was even possible to discern which was which.)

      --
      Il n'y a pas de Planet B.
    11. Re:Copywriting by gshegosh · · Score: 1

      Or they just use misspell words to bypass spam filters. I know it doesn't work NOW but it used to work.

    12. Re:Copywriting by heypete · · Score: 1

      How much time does it take to verify someone's information in the Nigerian prince scheme? I thought it was "Send me your bank account info" and if you sent them something else, they'd just ignore it. I'm surprised research indicates they'd save much time filtering out the smart people.

      For the most part, the Nigerian scammers aren't interested in "pulling" money from your account via direct debit or whatever. Rather, they lure you into sending them money through otherwise-legitimate means like Western Union. Such methods are essentially anonymous and irreversible.

    13. Re:Copywriting by Anonymous Coward · · Score: 0

      Indeed. This may well be the first time in the history of slashdot that the word "copywrite" has been used in its actual meaning, instead of being a misspelled variant of "copyright".

    14. Re:Copywriting by Anonymous Coward · · Score: 0

      research from Microsoft implies

      Apparently there is evidence, you fucking moron. I can tell you what's not conjecture- your ideas sound dumb.

      The question that remains is whether you designed them to sound dumb or not. Since the only evidence that I have is your post, I would venture to say that your ideas have evolved from metaphorically "cutting and pasting" the first fuckwad idea that comes out of your mind into Slashdot, without any analysis what so ever.

      I bet you're one of those people who self diagnoses themselves with "mild aspergers" to justify your poor social skills and self-inflated ego. Just face the truth: You're a fucking idiot and will die alone with your dick in your hand.

  2. Ahh ... the humorously bad english. by oneiros27 · · Score: 5, Funny
    Here's yesterday's gem. Mind you, it was sent to an mailing list '-owner' account, too:

    Date: Tue, 10 Jul 2012 05:19:24 -0300
    From: MyUps <ups-shipping-agency@ups.com>
    To: [listname]-owner@[domain]
    Subject: You have urgent work

    Hi, [listname]-owner

    We got today a letter from tax depratment they writing that we have not paid all needed taxes. You must urgent clear this shit other way they are freeze our bank acocunts.

    I have scanned the letter for you, you will find it in attach. Clear this situtaion and write me back.

    --
    Build it, and they will come^Hplain.
    1. Re:Ahh ... the humorously bad english. by Anonymous Coward · · Score: 1

      That shit sounds serious, you better get on that, [listname]-owner.

      I'm just trying to help, I not spammer.

    2. Re:Ahh ... the humorously bad english. by oodaloop · · Score: 2

      acocunts.

      It seems that it doesn't really matter how you try to pronounce this word; they're all fun to say.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    3. Re:Ahh ... the humorously bad english. by Mister+Transistor · · Score: 1

      That is absolutely hilarious, but it's interesting that "shit" has found it's way into the vernacular enough that a translating robot would substitute it as a normal general word synonym for "badness" or "bad situation".

      It's also funny when the spammer launches an unconfigured autos-pam script (to: [recipient] type stuff)...

      That said, what the little shit said is no shit, this shit is some very urgent shit! :P

      --
      -- You are in a maze of little, twisty passages, all different... --
    4. Re:Ahh ... the humorously bad english. by 228e2 · · Score: 1

      My text to voice translators have no problem saying profanity.

      --
      Since when does being a Socialist mean 'someone who has a different opinion than me'?
    5. Re:Ahh ... the humorously bad english. by oneiros27 · · Score: 1

      Doubtful it was an automated translator -- those would have been more likely to have spelled the words correctly:

      depratment ... acocunts ... situtaion

      ... any of which would've been caught by a spell checker set for English.

      --
      Build it, and they will come^Hplain.
    6. Re:Ahh ... the humorously bad english. by SpzToid · · Score: 1

      It is terrible when the acocunts gets frozen. Let's hope it doesn't come to this.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
  3. Bookmarks by organgtool · · Score: 5, Insightful

    The only thing I use bookmarks for now is to make sure I don't fat-finger the URL to one of my financial sites and enter my credentials into an imposter's site. Whenever I get an e-mail that I have a new statement or that I need to reset my password, I use the bookmark rather than clicking the link in the body of the e-mail.

    1. Re:Bookmarks by Anonymous Coward · · Score: 1

      That is good - now to avoid DNS redirects, I guess you'd need a second bookmark for each to the official IP of the websites.

    2. Re:Bookmarks by Baloroth · · Score: 1

      SSL cert signing helps a bit with that problem. If you are facing someone with a signed cert for that domain and the ability to do a DNS redirect, you're pretty well screwed. Not a lot you can realistically do to prevent that.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    3. Re:Bookmarks by Anonymous Coward · · Score: 0

      Why a 2nd one, and not just one with just the IP in it?

    4. Re:Bookmarks by Anonymous Coward · · Score: 0

      They probably all use HTTPS. Unless the phishermen got hold of a fake certificate or the bank's private key, DNS redirects would be flagged by the browser.

    5. Re:Bookmarks by downhole · · Score: 1

      That's exactly what I recommend to any basic users I talk to - a blanket policy of never ever follow any links in any email. Using only bookmarks eliminates a whole bunch of attack types.

      --
      I don't reply to ACs
    6. Re:Bookmarks by lakeland · · Score: 1

      Yes, I get SMS spam because I didn't do this once and was too sleepy to notice I'd hit the wrong site at first.

      So annoying :(

    7. Re:Bookmarks by Anonymous Coward · · Score: 0

      A lot of sites are cohosted responding only to DNA names. The rest (it seems like anyway) are mirrored and load balanced (aikame?) and so the ip may be wrong from day to day.

    8. Re:Bookmarks by avandesande · · Score: 1

      I'm such an old fart that I just type in the url when I go to a pfishable site.

      --
      love is just extroverted narcissism
  4. The decline of western civilazation by Anonymous Coward · · Score: 1

    God, I am so tired of people who don't give a fuck about anyone but themselves. This goes for more than just the spammers. I would have thought that in the 21st century, with all of the technology and information available, that people would be a bit more willing to think about what's not just good for them, but also what helps out society and world as a whole. I remember how Usenet was once a thriving and intelligent community - and because of folks like this, it is now a shadow of itself. Way to go! Yeah, I blame capitalism, ignorance and greed - short-term gains for long-term losses. Anything to make a buck. Welcome to the future where the banksters and spammers and morally bankrupt politicians and 'corporate persons' rule the day and 'apologize' when they're caught. It's time for the human race to grow the hell up and think of more than just profit. Yeah, I'm ranting - for now. Thanks for reading. ;-)

  5. Here's the real solution. by Anonymous Coward · · Score: 1

    Make spamming an offense with dire consequences. I've seen people suggest it for pedophilia. That won't work. Pedophiles aren't operating on a reward basis, but a compulsion.

    The same is not true for spammers, who see the rewards as far exceeding the costs.

    We need to change that. We need to make it possible to execute a spammer and their entire family on the streets and the person who does it gets to keep all of their stuff.

    Of course this solution will have some consequences as false-accusations of spamming will inevitably be misused, but we can fix that too, we just need to punish the exploiters there.

    And then punish those exploiters.

    Oh shit, I guess it won't work.

    But still, it gives me great emotional satisfaction to imagine executing the scumbags behind the actual spamming. (Not the low-level peons who are probably the ones going to be thrown to the wolves anyway).

    Then again, I feel the same about political campaign calls and their advertisements.

  6. The inventor of Email's advice.on spam by SternisheFan · · Score: 1

    I once read that when Ray Tomlinson (the imventor of email) was asked about spam, he said he has an ironclad rule. "If I don't recognize the sender I immediatly delete it." I've been following his advice with good results for more than a decade now.

  7. "That I see now?" by Goaway · · Score: 1

    Sircam? That's a pretty funny definition of "now".

  8. Why do spammers send so many identical spams? by Anonymous Coward · · Score: 0

    I wonder why spammers send so many identical spams over and over. My bank (or whatever) only sends one message per month to annoy me about my account. When I see 20-30 identical (or clearly permutations of the same thing), I know it is spam and delete it. Even if the spam is well written, the huge number of them tips off even a dull person. I think spammers would have more succes if they limited the number of spams so it is not obvious that a message is bogus.