The Websense® ThreatSeeker® Network has detected an unsolicited email campaign in which love-struck or curious recipients may have their appetites whetted by the thought of a secret admirer. Although Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine, this post provides an insight into the campaign, which appears to be on the increase today.

The messages, sent from various Yahoo.com accounts, suggest that the sender has "to let you know how [they] feel" and provide an enticing Facebook link to "View Your Ecard".

As displayed above, a valid short Facebook URL is used which, in this case, redirects to hxxp://www.facebook.com/pages/32942390324/536822983001617?sk=app_190322544333196. This particular page, which appears to have been created today (October 1, 2012), makes use of a third-party Facebook app 'Static HTML App.' This app embeds the following code:

The code sends a 'signedRequest' string (as seen in the highlighted URL above), which then requests the desired content for rendering in the victim's browser. In this case, a basic JavaScript is delivered:

The victim's browser is then directed to a fake ecard site hxxp://readyourecard.com/viewmessage/?a=vip36 which, according to Whois data, was registered on September 20, 2012 by 'Liu Hongmei' in China:

At this point, the aim of the campaign becomes clear: Every link on the fake ecard page redirects to an affiliate landing page on the Adult Dating website AdultFriendFinder.com and, with affiliate earnings of up to $1 per unique visitor, you can easily see how such a campaign could become very lucrative!

This campaign appears to be financially driven, but it is conceivable that the same techniques could be used to direct victims to malicious sites. Given that the redirection starts from an innocent-looking Facebook page, users should consider themselves warned to tame their curiosity and not click on unsolicited links!

You've almost certainly received an email similar to the one below.

Despite being well-known and transparent, the Nigerian email scam (also known as the 419 scam, a reference to the article of the Nigerian Criminal Code that such activities violate) retains its place on the list of top ten internet/email scams for 2012, and still results in millions of dollars of financial loss--and sometimes worse--for its victims. We've already blogged about a particularly amusing example caught in one of our honeypots, and a variant that adds phishing to the risks.

How does an obvious fraud continue to reel people in? And since the scammers want to find a likely mark and make some easy money, shouldn't they use a more credible and plausible email as bait?

Recent research from Microsoft suggests that email messages full of misspellings, grammar mistakes, and outrageous stories may actually work in the scammers' favor. Although it may appear counter-intuitive, it seems that the more implausible the bait, the better the chances the scammer has of actually collecting some money.Of course, most people will immediately delete an email like the one shown here (which includes an ironic warning against email scams), leaving the less savvy as easy prey for the scammers, which is exactly what they are looking for. In this way, they weed out the skeptical and cautious and reduce the pool of potential victims to those who are more likely to produce revenue. Because the scam and its Nigerian connection are so well known, there are even reports that non-Nigerian scammers may claim to be Nigerian--again, a means of weeding out the suspicious and homing in on the easy to fleece. Like legitimate businesses, scammers are also looking to optimize their operations, and don't want to waste time on unproductive activities.

Scambaiters are out to make them do just that, and look ridiculous into the bargain.  One site dedicated to this "cybersport" explains the game: "You enter into a dialogue with scammers, simply to waste their time and resources. Whilst you are doing this, you will be helping to keep the scammers away from real potential victims and [messing] around with the minds of deserving thieves."

In addition, the site notes:

"For the most part these criminals are not 'poor people trying to scratch a living', but are indeed very prosperous compared to their law-abiding countrymen, and many operate in highly organised and highly successful criminal gangs.  Millions of dollars are stolen on a DAILY basis, with absolutely no thought given to victims, who are losing vast amounts of money, homes, relatives, jobs and worse."

Scambaiters pose as potential victims and lead scammers in a merry dance. Some pretend to misunderstand the scammer's instructions, leading to repeated communications from increasingly frustrated scammers, while others send receipts for non-existent airline tickets to prove they are on their way to Africa with the money. Their only concern now is recognizing their contact at the airport arrivals hall. "Could you kindly send a photo of yourself holding a sign with my name [insert name with humorous or indelicate double meaning] to ensure we are able to meet?" They can and they do.

If you're thinking that the scammers' tales of woe sound like Victorian melodrama, you wouldn't be far off. Snail mail variants of the scam predate the internet by almost 200 years, dating back to the 18th and 19th centuries. Nostalgic for the good old days? In July 2012, police busted an old-fashioned lottery mail scam in Spain that has claimed over 500 victims since the beginning of the year, which means that not having an email address is no guarantee of scam protection.

Websense customers are protected by our Advanced Classification Engine (ACE). Of course, a healthy dose of common sense helps, too.

419 scams have become lame and not a lot of people are falling for them these days. So the scammers have to change their tactics if they want to stay in business.The scam we describe in this blog is quite interesting because it is combines a typical 419 scam with a phishing attack. After the initial communication with the scammer, the victim receives a phishing email claiming to be from PayPal indicating that the scammer "PayPaled" the money to the victim. Here is the long story.

One of my friends posted an ad on craigslist to sell his HP laptop. Dr. Robinson (a scammer and a physician from Utah) wanted to buy the laptop as a birthday gift for his son David -- who is BTW doing human development research in Nigeria. Dr. Robinson offered to send the payment via PayPal and asked that the laptop be shipped to his son in Nigeria.

From: Donald Robinson [donaldrobinson1001@gmail.com]
Sent: Thursday, August 05, 2010 6:07 AM
To: xxx
Subject: Re: HP   Laptop - $280

Hello,
 I am very grateful to hear back from you.I am a Medical Doctor residing in Utah.The (HP Laptop) is for my son's birthday present,due to his brilliant performance,he was currently transferred from US to West Africa with his team on a research on Human development under world Health Organization. I'll be paying you through paypal.I will forward my son's residential address to you for shipping as soon as the payment reaches you.send me your paypal email so that i will do the payment.
 NB: I will be paying you $400 for both the cost price and shipping fee.Please get back to me so that i will proceed with the payment.
Best Regards,
Dr. Robinson.

I created a fake email account and sent Dr. Robinson the following note

Dear Dr Robinson,

Please send me your son's address and I will ship the laptop as soon as I receive the payment through paypal. My paypal email is xxx@gmail.com.
Thank you for your interest.

Regards,

Couple of hours later I received a phishing email claiming to be from PayPal indicating that I got a new fund from Dr. Robinson. Dr. Robinson was very generous and sent me $400 not $280 as was posted in the craigslist ad. The social engineering part in the email was interesting:

"This PayPal payment has been deducted from the buyer's account and has been "APPROVED"but will not be credited to your account until the shipment reference/tracking number is sent to us for shipment verification and this is done to secure both the buyer and the seller against any fraudulent activities. Below are the necessary information requested before your account will be credited. Send tracking number to  us or email us through  paypalaccountserviceinfo@ovi.com and our customer service care will attend to you. As soon as you send us the shipment's tracking number   the money will be credited to your account and this is done for security purposes and the safety of the buyer and the seller."

Couple of minutes later, I received another phishing email claiming to be from PayPal telling me that PayPal is waiting for my shipment tracking number. Also, they assured me that the order has been confirmed and that I can ship the order now to the buyer, but I have to do so within 48 hours. I googled that transaction ID "8UG760668M701084Y" and found three posts [1,2,3] talking about similar scams.

Couple of minutes later, Dr. Robinson emailed me and told me that he has sent me the money via PayPal. He asked that I ship the laptop first thing in the morning via USPS first class express mail in an insured package. The interesting thing about this address is that all the three posts above share the same city and state in Nigeria "Uwani, Enugu, Nigeria". I looked up the city in google maps, but did not find anything eye-catching, except Enugu prison that was in the neighborhood!

David Robinson: I wish you a very happy birthday and I with you success in your research on human development in Nigeria, but you are not receiving a laptop for your birthday. Brad can send you one if he likes :)

(Acknowledgment: T and R)

Is it just me, or spam on Twitter has been growing exponentially recently? I've always been getting the occasional good-looking-not-very-dressed new follower notification by email, but recently, I've been receiving @ messages like this:

What is your experience with this? What kind of spam are you seeing on Twitter? Is there anything Defensio could do to make your life better on Twitter?

If you think image spam is elaborate, think again!

At Defensio, we see all kinds of crazy and innovative spam each day. But recently, something we never thought we'd ever see showed up on our radar: a significant influx of VIDEO spam, most of it hosted on YouTube.com. I guess this just shows how far spammers are ready to go to sell their junk.

Here's a screenshot...

What do you think will be the next trend in spam?

In the "traditional" world of blog spam filters, spam accumulates in your spambox, sometimes at an alarming rate.

Occasionally legitimate comments, left by the users of your blog, will be eaten by your filter -- an expected and normal occurrence (if not somewhat annoying) as no filter can ever be perfect.

When such "false positives" occur, one of 3 things will happen:

1) The commenter may send you a belligerent polite email notifying you that his/her comment failed to make it through to your blog;

2) If you're fastidious and eagle-eyed, you may notice the errant comment in your spambox and restore it before its absence can be noticed by too many readers;

3) You may fail to pick up on the comment as it becomes buried in spam, sucked into a black hole from which it will never emerge.

If you've spent any time blogging, it's almost a given that #1 happens to you every other day. And as we all know, good blogging practice requires that you keep your garden clean and so you'll probably perform #2 on a regular basis, typically digging out a handful of erroneously caught comments whenever you check.

But, the million dollar question: How often does #3 occur? With what frequency are legitimate tidbits of commentary/knowledge passed on by your readers but never made live to the web? How much conversation spirals down the dark recesses of the urinal drain?

Sadly, it's impossible to say. Your spambox may be riddled with such false-positives, but it is probably so overflowing and poorly chronologically organized that seeking out each and every one of these errors is simply impractical if not done on a daily basis.

If any of this resonates for you, we think you'll jump for joy for Defensio which puts an end to the blackhole problem by:

• Sorting your spambox by the "spaminess" of each comment, so that those least likely to be spam (i.e. most likely to be false positives) bubble up to the top for easy identification;
• Providing you with an RSS feed of spam (and legitimate) comments, so that you can easily and quickly identify mistakes without having to log into your blogging platform;
• Cranking up the dial on performance through individualized and continuous learning algorithms, so that less errors occur, period.

Download Defensio now, and stop losing comments to spam.

We here at Defensio HQ see a lot of spam; spam in all its flavors and incarnations. Occasionally we see new techniques that baffle the mind. URL-less spam (that is, spam not containing URLs) is one of these baffling new forms of spam we've seen cross our desk, so puzzling that it's worth delving in to try to understand what in the world it means.

Example

URL-less spam looks like the following:

Notice that this commenter (i.e. spammer) has not left a URL with his/her credentials, nor has he/she supplied any URLs in the body of the comment.

The Issue

Why is this strange? Because the entire reason spammers typically hit blogs with their bogus comments is to populate the web with URLs that link back to their spammy sites, and thus manage to exploit the Google juice of the sites they breach with the goal of boosting their own search engine rank. And so, bombarding a blog with comments that do not contain URLs defeats the whole purpose, and results in no obvious net benefit to the spammer, other than the evil satisfaction of annoying the hell out of bloggers.

Motives

So if not to exploit Google juice, why do spammers go with a URL-less approach? Two theories:

1) To "train" spam filters to allow specific keywords.

Filters that use statistical filtering learn over time. By having legitimate-looking comments make it through the filter, while containing a handful of specifically-chosen keywords, spammers could be trying to tip statistical filters toward starting to consider such keywords as innocent, thus increasing the likelihood that future spam comments containing these words will bypass spam defenses.

2) To be whitelisted.

Some spam filters allow users that successfully post comments X number of times to be added to a whitelist, meaning they will bypass the filter in the future. Since URL-less spam typically looks fairly normal, spammers hope that bloggers will fail to identify their comment as spam enough times that auto-whitelisting might kick in.

These motives are simply our best guesses at what might be in spammers' nefarious minds. Who knows, simple annoyance could be their sole, inexplicable, goal?