Scams, Spam and Phishing
Staying Safe on the Internet
Your E-Mail is Attacking You
Once you have an e-mail address, you are immediately at risk
of attack from a mob of disreputable advertisers and,
worse yet, con artists.
As usual in information security,
there are both new terms and old terms used in new ways.
Some of the terminology may seem silly, but it does give us
a label we can use to describe and discuss these threats.
This page explains these threatening new concepts and the
terms that describe them, including:
This page also provides links to some excellent on-line quizzes you can use to assess and build your on-line savvy and scam resistance.
Scams
A broad range of confidence frauds collectively known as Nigerian scams are all too common on the Internet. While they are perpetrated from all locations, they have become associated with Nigeria because of the extremely ludicrous nature and stilted writing of the examples coming from that country. They are also called 419 scams as a reference to the section of the Nigerian Criminal Code dealing with fraud.
The classic Nigerian scam is an e-mail from someone asking for your assistance in moving a large sum of money, typically several million dollars, out of the country. The purported money is typically the result of embezzlement, inheritance, or unclaimed property.
These are not new, one version described in the memoirs of the French criminal turned private investigator Eugène François Vidocq (1775-1857) goes back to the 18th or 19th century. Another from around 1830 contained wording very similar to the Nigerian e-mails of today, starting "Sir, you will doubtlessly be astonished to be receiving a letter from a person unknown to you, who is about to ask a favour from you ..." and continuing on about a casket containing 16,000 Francs in gold and the diamonds of a deceased marchioness. A Microsoft researcher has explained that the ridiculousness of the promises of vast wealth from Nigerian Princes is actually to the advantage of the scammers, as only the most gullible targets respond and the scammers' efforts can be most effectively applied.
These scams became enormously popular in Nigeria in the 1980s in the form of postal letters. After Sani Abacha, the de facto president of Nigeria since 1993 died in 1998, his widow Maryam Abacha attempted to flee the country with suitcases filled with currency. Her name has since been used frequently in Nigerian scams.
Other versions include fake announcements that you have won a lottery in Spain, or the Netherlands, or the U.K., or another country.
More recent and slightly less ludicrous versions are based around stories of fictional U.S. military personnel who supposedly stumbled upon hidden caches of gold or other wealth in Iraq or Afghanistan.
If it sounds too good to be true, then it is precisely that — it is not true.
Urban Legends
Urban legends appear in the opposite form — stories that are too ghastly to not be true. They also take the form of stories so inspirational or sickeningly sweet that the sender is convinced that they ought to be true.
If you receive an e-mail that already has been forwarded several times, and you are admonished to immediately read it, heed it, and then forward it "to everyone you care about", then it almost certainly is false.
The people who mindlessly forward this nonsense are, of course, offended if you point out to them that this is widely known to be a silly urban legend. They will say "better safe than sorry!" and scold you to pay attention to it anyway and then forward it "just in case."
The snopes.com Urban Legends Reference can quickly show that a given urban legend is, in fact, nonsense, and for how many years most of the world has realized that. It also gets into the psychology or anthropology behind the powerful attraction these archetypal tales hold for people.
Stolen E-Mail Credentials
Stolen e-mail credentials allow a criminal to masquerade very convincingly as a friend in trouble.
Step 1: Someone with a web-based e-mail account such as Gmail, Hotmail, Yahoo, etc., has their credentials stolen. Maybe a phishing attack (see below for the details) tricks them into attempting to sign in to a bogus page masquerading as their legitimate e-mail provider. Or maybe some spyware gets installed on their Windows system when they inadvertently visit a compromised web page. The criminal can now use their e-mail account and therefore their on-line identity.
Step 2: Everyone in their address book receives a message which might look very convincing, apparently from a friend who is stranded on a trip because their money and credit cards have been stolen. "Please help me out of this horrible situation, please wire me some money so I can get home!"
In a less dangerous but also annoying variation, maybe you instead keep getting short "Check this out!" messages trying to get you to look at some web page masquerading as a reputable source but actually pushing very questionable goods.
Spam
Image spam is an advance by the attackers.
Instead of text about their shady products, which could be
automatically recognized and their message discarded,
they send a picture of their ad.
Or it's a Microsoft Word *.doc file, or a Zip
archive containing a PDF file, or some other nested
representation of their spam.
Of course, those things often contain malicious software
instead, or in addition to, the spam.
This, however, is simply an image of a significant
mass of Spam!
Spam in this context is not the glistening salty meat-like product from Hormel, but unwanted advertising clogging your mailbox.
Its silly name comes from a Monty Python episode, in which an early skit had a man offered a menu consisting of an unusual number of dishes based on Spam, along with Spam, and also Spam. Then most of the remaining skits in the episode had a character irrelevantly trying to push Spam on other characters. It was typical Monty Python absurdity.
In 1994, a pair of the more disreputable lawyers in Phoenix, Arizona, got connected to the Internet and started sending out a flood of irrelevant and intrusive advertisements for their over-priced assistance in getting Green Cards for U.S. residency. These annoying messages were sent to every mailing list they could infiltrate and posted to every USENET group.
Someone observed that the annoying messages were like the Spam in what then was already an old Monty Python episode. Increasingly frequent and intrusive pushy offers of something unwanted. The name stuck.
Spam frequently pushes either questionable pharmaceuticals or bootleg copies of designer goods such as extremely expensive watches. It is also used to try to talk gullible investors into buying nearly worthless "penny stocks" in an effort to play the stock market.
Spam-filtering software attempts to detect and flag or
even pre-emptively delete these irrelevant messages.
So the spammers use creative misspellings to avoid
the simplest of pattern matching, offering
V1agr@ and C!a1is and similar.
My ISP is Comcast, and their spam filtering does keep out most of the spam I would otherwise see. Unfortunately, Comcast also throws out some of the good with the bad. There are a number of mailing lists I can join but I never see the messages.
Before a territory swap with Comcast, Insight Broadband ran the cable television and high-speed Internet provider where I live. A little more spam got through, most of it in foreign languages, or at least in languages like Russian and Hebrew which use non-ASCII character sets. The Russian spam seemed to be mostly about renting and outfitting office space in Russia. I once asked someone who could read Hebrew to look at my most recent dozen or so Hebrew spams, and he said that most of them were trying to sell timeshares in Tel Aviv.
According to a historian quoted in an Economist article on the etiquette of telecommunications, the first spam was sent in May of 1864 when Messrs Gabriel of 27 Harley Street in London sent a wave of telegrams advertising dentistry to several British politicians. In the late 1800s, Western Union allowed telegraph messages to be sent across its network to multiple destinations in an early form of multicast. Telegraphy in Europe was regulated by national post offices, but before 1929 wealthy Americans received constant streams of bogus investment offers. These were much like the "hot tip on a rising stock" form of spam we're still stuck with today.
Of course, sometimes spam content can be unintentionally artistic.
Phishing
Phishing is an attempt to acquire the information needed for identity and/or monetary theft — usernames and passwords, or credit card details including the PIN and the 3 or 4 digit security code on the back of the card.
The silly name, not that it matters, is a variation on "fishing".
The mechanism is a carefully crafted e-mail message directing the target to a web page masquerading as a legitimate one. If the victim attempts to log in there, the phishing attacker has collected their sensitive information.
Phishing is done by untargeted mass mailings. If an attacker sends out a few million messages, several recipients will be customers of major institutions like CitiBank, PayPal, and similar.
How do you train people to notice and defend against
phishing attacks?
It's a psychology problem.
See, for example, this research paper:
How Experts Detect Phishing Scam Emails
Use These On-Line Phishing IQ Tests!
A number of very good game-like pages exist to test your phishing IQ and show you how to be less likely to become a victim. Try these!
Remember that not everything is a scam, and if you disbelieve everything you will also be unable to function. So be careful, some of the examples you encounter in these quizzes are scams but some are not. SonicWALL changes their test from time to time, but generally it's 50% phish and 50% legit.
This is the best of the lot, it is very realistic and provides explanations when you go back through to see your score. Take this test and see how you do!
One of the big targets of phishing, a very security-aware organization, has put together a nice phishing IQ quiz.
This isn't a quiz or game, it's a presentation, but it's eBay's take on how to spot fraud attempts.
Similarly, this is a presentation rather than a quiz, from Visa this time.
Good quiz on phishing web pages, concentrates on paying attention to the URL.
From the Washington Post "Technology" section.
This one is useful, even though it's rather simple.
This is pretty useful, but the drawback is that the explanations are too detailed for the typical user.
This is pretty simple, but useful.
Spear Phishing
Spear phishing is a targeted, carefully researched, and laboriously crafted extension on simple phishing. Instead of casting lures everywhere, a spear is carefully and narrowly targeted.
Real-world examples of this include a series of messages sent to some Pentagon officials and some Harris Corporation engineers, apparently from each other regarding the details of a contract to manufacture some defense electronics equipment. The messages really came from someone trying to steal sensitive design information.
Many of the really significant more recent attacks, including some that planted APT or Advanced Persistent Threats and verging on cyberwarfare, have started with spear phishing getting malicious software in place to steal information. See the Cyberwar page for more details.
All of the hostile e-mail is getting more convincing and therefore more dangerous.
The criminals and annoying spammers used to be a pretty clueless and clumsy bunch, but not any more. Sure, there are still obvious Nigerian scammers, but a researcher has explained that the ridiculousness of their messages is actually to their advantage.
Meanwhile, less clumsy variations on the advance-fee scam use far better English to describe slightly less ludicrous stories about U.S. service personnel and missionaries, playing on a combination of naïveté plus patriotism and/or religiousness.
The world of spam is no longer limited to broken English about erection medications, or urgent messages from Chinese vendors of locomotive parts or other bizarrely unlikely merchandise.
Similarly, the mass-mailed basic phishing attacks looking for customers of large banks have cleaned up the English that usually wasn't just broken, but shattered.
The phishing IQ quizzes listed earlier are becoming more and more important!
From media.nara.gov in an era when Eskimo and Equimaux were used in place of the more appropriate Inuit-Yupik and Aleut.
Another successful whaling operation! From www.afsc.noaa.gov.
Whaling
People looking to introduce new labels (whether they're really needed or not) have borrowed this one from the gambling industry: Whaling is an attack that goes after the "whales".
In the gambling industry, a whale is a person who will repeatedly visit a casino despite regularly losing large amounts of money. It is in the casinos' best interest, of course, to entice a whale to visit them again and again. The whales will brag about how nice the casinos are to them, giving them free upgrades (into suites otherwise sitting vacant) and free drinks and meals.
In the realm of e-mail scams, whaling is used to refer to spear phishing aimed at CEO and similar "C-suite" executives.
Yes, I realize that people in the defense industry and government will object, saying that the CEO isn't necessarily cleared for the most sensitive data, or even if they are, they don't have easy access to it. Certain engineers would be better targets of espionage.
I agree! However, I'm trying to describe how the words are used, not how they should be used. To use the linguistics terms, I'm being descriptive and not prescriptive.
And even more words!
Many people seem to be on a quest for the fame that they believe will come from crafting a new word or acronym!
SPIT is used to mean Spam over Internet Telephony, so this is telemarketing via Skype or other VoIP technology.
SPIM is used to mean Spam sent over IM (Instant Messaging) or text messages. But since text messaging is called SMS for Simple Message Service in most markets, some people insist that this should be SpaSMS.
Vishing is used to mean phishing type attacks
carried out by voice calls:
Vishing is to phishing as telemarketing is to spamming.
Smishing is SMS based phishing.
Back to the main Security Page