This morning I received an email, sent to a list of people (I assume). The subject of the email was “Computer Hacker’s service needed” and the contents indicated that the sender was seeking someone to trace back to the sender of some enclosed email. The email in question? The pernicious spam email purporting to be from someone who has been given a contract to murder the recipient, but on reflection will not do the deed if offered a sum of money.
This form of spam is well-known in most of the security and law enforcement communities, and there have been repeated advisories and warnings issued to the public. For instance, Snopes has an article on it because it is so widespread as to have urban legend status. The scam dates back at least to 2006, and is sometimes made to seem more authentic by including some personalized information (usually taken from online sources). A search using the terms “hitman scam spammer” returns over 200,000 links, most of the top ones being stories in news media and user alert sites. The FBI has published several alerts about this family of frauds, too. This is not a rare event.
However, it is not that the author of the email missed those stories that prompts this post. After all, it is not the case that each of us can be aware of everything being done online.
Rather, I am troubled that someone would ostensibly take the threat seriously, and as a follow-up, seek a “hacker” to trace the email back to its sender rather than report it to law enforcement authorities.
One wonders if the same person were to receive the same note on paper, in surface email, whether he would seek the services of someone adept at breaking into mail boxes to seek out the author? Even if he did that, what would it accomplish? Purportedly, the author of the note is a criminal with some experience and compatriots (these emails, and this one in particular, always refer to a gang that is watching the recipient). What the heck is the recipient going to do with someone—and his gang—who probably doesn’t live anywhere nearby?
Perhaps the “victim” might know (or suspect) it is a scam, but is trying to aid the authorities by tracing the email? But why spend your own money to do something that law enforcement is perhaps better equipped to do? Plus, a “hacker” is not necessarily going to use legal methods that will allow the authorities to use the results. Perhaps even more to the point, the “hacker” may not want to be exposed to the authorities—especially if they regularly break the law to find people!
Perhaps the victim already consulted law enforcement and was told it was a scam, but doesn’t believe it? Well, some additional research should be convincing. Plus, the whole story simply isn’t credible. However, if the victim really does have a streak of paranoia and a guilty conscience, then perhaps this is plausible. However, in this case, whoever is hired would likewise be viewed with suspicion, and any report made is going to be doubted by the victim. So, there is no real closure here.
Even worse, if a “hacker” is found who is willing to break the rules and the laws to trace back email, what is to say that he (or she) isn’t going to claim to have found the purported assassin, he’s real, and the price has gone up but the “hacker” is willing to serve as an intermediary? Once the money is paid, the problem is pronounced “fixed,” This is a form of classic scam too—usually played on the gullible by “mystics” who claim that the victim is cursed and can only be cured by a complicated ritual involving a lot of money offered to “the spirits.”
Most important—if someone is hired, and that person breaks the law, then the person hiring that “hacker” can also be charged under the law. Hiring someone to break the law is illegal. And having announced his intentions to this mailing list, the victim has very limited claims of ignorance at this point.
At the heart of this, I am simply bewildered how someone would attempt to find a “hacker”—whose skill set would be unknown, whose honesty is probably already in question, and whose allegiances are uncertain—to track down the source of a threat rather than go to legitimate law enforcement. I can’t imagine a reasonable person (outside of the movies) receiving a threatening letter or phone call then seeking to hire a stranger to trace it back rather than calling in the authorities.
Of course, that is why these online scams—and other scams such as the “419 scams” continue to work: people don’t think to contact appropriate authorities. And when some fall for it, it encourages the spammers to keep on—increasing the pool of victims.
(And yes, I am ignoring the difficulty of actually tracing email back to a source: that isn’t the point of this particular post.)
Lots of new papers added this week—more that we can list here. Check the Reports and Papers Archive for more.
[tags]Google, spam, 419[/tags]
I recently blogged about some unsolicited email I received from a recruiter at Google. Much to my surprised, I was shortly thereafter contacted by two senior executives at Google (both of whom I know). Each apologized for the contact I had received; one assured me he would put in a positive recommendation if I wanted that sys admin position.
I have been assured that there will be some re-examination made of how these contacts are made. So, score one for my blog changing the world! Or something like it.
[posted with ecto]
[tags]Google, spam[/tags]
Today I received email from a google.com address. The sender said he had found me by doing a search on the WWW. He indicated he hoped I wasn’t offended by his sending unsolicited email. However, he had a great offer for me, one that I was uniquely qualified for, and then offered a couple of URLs.
Does that sound familiar?
My first thought was that it was a 419 scam (the usual “I am the son of the crown prince of Nigeria…” letters). However, after checking out the mail headers and the enclosed URLs, it appears to be a (semi) legit letter from a Google recruiter. He was asking if I was open to considering a new, exciting position with Google.
And what exciting new position does the Google recruiter think I’m ideally suited for? Starting system administrator…..
And by the way, sending email to “abuse@google.com” gets an automated response that states, in no uncertain terms, that Google never sends spam and that I should take my complaints elsewhere.
Gee, think this is a new career possibility for me?
[posted with ecto]
mod_security is an essential tool for securing any apache-based hosting environment. The Pathfinder High Performance Infrastructure blog has posted a good starter piece on using mod_security to block email injections.
One of the more common problems with PHP-based applications is that they can allow the injection of malicious content, such as SQL or email spam. In some cases we find that over 95% of a client’s ISP traffic is coming from spam injection. The solution? Grab an industrial size helping of Apache mod_security.
BTW, Ivan Ristic’s (the developer of mod_security) Web Security Blog is well worth a spot in your blogroll.
(Edit: fixed title. Duh.)