How Exploit Kits Have Changed Spammers' M.O.

An anonymous reader writes "Spammers used to depend on email recipients to tie the noose around their own necks by inputing their personal and financial information in credible spoofs of legitimate websites, but with the advent of exploit kits, that technique is slowly getting sidelined. Prompted by the rise in numbers of spam runs leading to pages hosting exploit kits, Trend Micro researchers have recently been investigating a number of high-volume spam runs using the Blackhole exploit kit. According to them, the phishing messages of today have far less urgency and the message is implicit: 'Your statement is available online'; or 'Incoming payment received'; or 'Password reset notification.'" One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now. "I send you this file in order to have your advice" was funny, because it stuck out.

Copywriting

"One thing that's long worried me is that the bulk of spammers and malware writers may hire copywriters with a better grasp of English than most of the ones I see now"

At least in the '419-style' scams, research from Microsoft implies that the bad English is, at least in part, deliberate. It's obvious enough to 'smart' people that they won't bother responding (and therefore tying up the spammer's time trying to extricate their funds/credentials/whatever). However, less-savvy people might not realize it's a scam and therefore follow the links. As a result the hit rate of people who do respond is likely to be higher, resulting in a better yield for the scammer.

Re:Copywriting

[stillpixel]

I suppose that technique would boil down to basically use the grammar most likely used by the persona you are targeting much like in advertising. So if you are targeting people less educated or computer savvy, then use poor grammar and misspell words.

Re:Copywriting

[N0Man74]

They are different attack vectors with different goals. Phishing relies on confusing a fake organization for a legitimate one. The more authentic and professional looking the better. Even a non-gullible person might fall prey to some of these sites (especially when more people are viewing e-mails on their phones and phones make it MUCH harder to see the tell-tale sign of a bad link).

When all you need is log-in information, or a bit of personal information, the more legitimate looking the better. You don't care if the person is gullible or not, because you are asking less of them. You set up a web server and just collect data with no need for human interaction with the visitors.

The Nigerian scams need people that are more gullible because those scams require more human time investment (and direct interaction) on the part of the scammer, and a greater amount of gullibility for their prey (since it also involves them sending money, not just filling in a form).

Ahh ... the humorously bad english.

[oneiros27]

Here's yesterday's gem. Mind you, it was sent to an mailing list '-owner' account, too:

Date: Tue, 10 Jul 2012 05:19:24 -0300
From: MyUps <ups-shipping-agency@ups.com>
To: [listname]-owner@[domain]
Subject: You have urgent work

Hi, [listname]-owner

We got today a letter from tax depratment they writing that we have not paid all needed taxes. You must urgent clear this shit other way they are freeze our bank acocunts.

I have scanned the letter for you, you will find it in attach. Clear this situtaion and write me back.

Re:Ahh ... the humorously bad english.

[oodaloop]

acocunts.

It seems that it doesn't really matter how you try to pronounce this word; they're all fun to say.

Bookmarks

[organgtool]

The only thing I use bookmarks for now is to make sure I don't fat-finger the URL to one of my financial sites and enter my credentials into an imposter's site. Whenever I get an e-mail that I have a new statement or that I need to reset my password, I use the bookmark rather than clicking the link in the body of the e-mail.