Tuesday, May 17, 2011

Phun With Phishing

I have a lot of friends stranded overseas, and a lot of relatives who left me bzillions of dollars after dying fortuitously in a vehicle crash, and more than a few people who trust me enough to invite me to help them transfer a huge trust fund for orphans to safe haven in a US Bank account, at least according to some of the unsolicited email I get. I generally ignore these, simply because there are too many to answer them all, and it would be unfair to answer only a few and leave the others twisting helplessly in the wind, and also because 99% of them get caught by my email spam filter and routed to the most appropriate folder (the trash). Every once in a while though, one gets through, and sometimes it's even barely interesting, or else vaguely amusing.

Take this one, for example. In the current tough economic times, lots of folks are looking for jobs.

An email with the subject line “Job Offer !” could get just about anyones attention, at least for a moment or two. It got mine, though probably not in quite the way the sender(s) intended, since the first two things that caught my attention were the extra space before the “!” in the heading, and the return address of “jobs@carrerbuilder.com”.

Okay, so maybe the address “careerbuilder” was already taken. But frankly, there are likely enough properly spelled permutations still available to make this a weak excuse. It certainly doesn't excuse that annoying “ !” bit. This left me with a clear first impression: these guys can't use proper punctuation, and they can't spell. For a group purporting to help me build a career, they're not off to a great start. I wasn't impressed by the “no recipient” in the To field, either. I could assume they simply blasted this announcement out to a mailing list, but not bothering to call it something other than “no recipient” is at best lazy, and at worst just plain rude.

The body of the email isn't TOO bad; there are no more egregious spelling errors, although they still seem stuck on putting unneeded spaces in front of punctuation marks. The “job offer” itself isn't too outlandish – there really are mystery shopper programs out there, and legitimate companies do pay people to participate. This, however, isn't one of them.

As a matter of fact, it turns out that emails from “carrerbuilder.com” have already been flagged by several watchdog websites, such as this one, and the domain itself is simply parked. Color me not surprised.

Now, that would normally be the end of it. A lot of these types of phishing emails are sent purely to get the “no recipients” to reply, even if the reply consists of “BUZZ OFF!” (or something more colorful), in order to verify as many “live” email addresses as possible. Spammers will pay more for lists of verified email addresses; it's more profitable to phish in ponds they know are stocked. But these guys went one better: they helpfully included an Application Form, as an .html attachment. As my tinfoil hat is about two sizes too small, I rather doubt it's really an application form. I further doubt it's a benign little .html file that will do nothing more than open locally in my browser and display text, or dollar signs, or happy dancing bunnies. There a lot of file types that can contain executable code these days, code that will run as soon as the file is opened, under the right conditions, and .html files are certainly one of those types.

I'll probably save this not-so-benign .html file for later perusal – under the right conditions, of course. I do hope the helpful hackers at “carrer builder” aren't breathlessly waiting for me to send back my completed application. I don't accept candy from strangers, and I don't open attachments from them, either.

Neither should you.