Archive for the ‘Phishing’ Category

New technique from the Craigslist spammers

Friday, August 31st, 2012

In June, I wrote about a technique used by spammers to harvest names and email addresses of “live” targets for their spam.

In a nutshell: you post an ad to Craigslist; the spammer sends you an automated email which makes you think that maybe the sender is interested in your ad; you send a response, “Are you interested?” thus revealing your name (if it’s configured in your email client) and real email address to the spammer; and within hours, you are deluged by spam at that address, which uses your name from your email header, thus making it more likely that you will read it and that it will make it through your spam filter.

As I noted in my earlier blog posting, the fix to this is simple: Craigslist should tweak the email headers so that the entire exchange from poster and respondent is sent through Craigslist’s proxy server, so that the poster’s name and email address is never revealed in the header of a message sent by him/her to the spammer. Given how prevalent this problem is on Craigslist, it’s a mystery why they don’t do this.

Alas, the problem has gotten worse, not better. At the bottom of every email message sent through Craigslist’s proxy server is a link that people can use to report the message as spam. People who are moderate to heavy users of Craigslist can recognize these phishing messages immediately and report them as spam, thus helping Craigslist to figure out who should be blocked from sending messages through them. Alas, the spammers have figured out how to break the flagging link at the bottom of their email messages.


Craigslist email-reply scam and what Craigslist could do to fix it

Tuesday, June 19th, 2012

UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.

I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at, and any responses sent to that address would be forwarded on to me.

Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.

I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”

Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at Some of these responses even used my real name in them. I received six such emails in three days. Yikes!


Who’s using my email address, and why?

Thursday, June 23rd, 2011

Somebody seems to be using my email address in a weird, ongoing way that doesn’t seem to be benefiting them in any way. The fact that I can’t figure out why they’re doing it concerns me, because I have to suspect that there is some benefit to them, which I just haven’t been able to figure out. I’m worried that if it’s helping them, it’s probably hurting me, even if I don’t know it.

Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.


A study in contrasts: handling stolen email lists

Monday, April 4th, 2011

I try to make a habit of giving out “tagged” email addresses to web sites when I sign up for accounts / mailing lists / whatever. For example, when creating an account at, instead of just signing up as “”, I might sign up as “”. It ends up in the same mailbox regardless, and it gives me some visibility into who is sharing or selling or allowing my email address to be stolen.

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.


Devious domain typo hijacking

Friday, December 17th, 2010

Fascinating phishing attack — the links are fine, but watch out for the toll-free number!

Wednesday, July 30th, 2008

A phishing message in my spam folder caught my eye today, so I decided to take a closer look at it.

It claimed to be from CapitalOne.  It had a legitimate sender address, a legitimate Subject line (“Please Call Us Regarding Recent Restrictions”), and convincing-looking content that was mostly lifted straight from a real CapitalOne email message.  Most importantly, all of the links in the message were legitimate links pointing at URLs.

The only text in the message that was not boilerplate was this:

Please Call Us Regarding Recent Resctriction [sic]

This is not a promotional e-mail. Please call us immediately at (866) 496-5027 regarding recent activity on your Capital One Card. We’re available 24/7 to take your call.

Please disregard this e-mail if you’ve already call us since the date this e-mail was sent.

We appreciate your prompt attention to this matter.

Thank you
Capital One Card Fraud Prevention Security Department

Here’s what makes this phishing message different from others I’ve seen: the “hook” is the phone number, not the links in the email body.

Here’s what you hear, recited in a female computer-synthesized voice, when you call the number shown above:

Welcome to the the card activation center.  Please remember that we will never ask for your personal information such as your social security number, passwords, card numbers, etc. via email.  Please enter your card number followed by the pound key.

[doesn't matter what you enter here]

Please enter your personal identification number associated with this card followed by the pound key.

Please enter your four-digit expiration number [sic] (months year) followed by the pound key.

Please hold while your card is activated.

The card number, personal identification number or expiration date doesn’t match with our records.

[starts over]

Obviously, whoever set up this toll-free number is collecting card numbers, expiration dates and PINs, which they will then either sell or use to obtain cash advances from ATMs.

I wish there were somewhere I could report this scam to get the toll-free number taken down, but I honestly have no idea who would be interested in doing something about this and able to act quickly.