How to: Create more legit looking spam/scam mails
Tuesday, November 3, 2009 3:19:00 PM
Getting the user data
Your browser history is an open book (well, more like a database really). And in that book, you will probably list your online bank. (You checked your balance only yesterday, remember?) The Web site WhatTheInternetKnowsAboutYou.com will demonstrate how it works and it provides the technical details needed to get to this data.
Imagine data about you being gathered from this data mining method (completely transparent), and then this data being supplemented by a common comment field found on many blogs:
<label>Full name: <input type="text" /></label> <label>Email address: <input type="text" /></label>
…and basically, that is all you need. You know the user’s name; Soo Ntob Escamed, his email address; email@example.com, and with very little effort you know the user is very likely to have an PayPal-account and an account at Royal Bank of Scotland. The data can be further validated by attempting to add the email address as a friend on Facebook, LinkedIn, and many other social sites.
The return on investment (for those with malicious intent) should be significantly increased by having such a solid database of user data that include information about the user’s financial browsing history.
More legitimate looking emails
While reading the example mail generated from such a database, keep in mind that the account name (aka. email address) is already known.
To: "Soo Ntob Escamed" <firstname.lastname@example.org>
From: "PayPal Security Notifications" <email@example.com>
Subject: Annual account maintenance / verify active account
Dear Soo Ntob Escamed,
It’s time for your annual password reset. Every PayPal user must change their password at least once per calendar year […]
Click on the link below to get started. You will have to verify by providing your current password, and then filling in your new password twice. …
Would your grandmother know this wasn’t a real request from PayPal or her bank? would you?
Would you have believed it? The data you are voluntarily giving away being used in such a way. There are many other cases where the same technique could be used. For example, did you really complete that MacBook order in the Apple Store? You were only looking, right? Or, … *click*
In summary, only fill provide your real name and email address on sites you trust. You must give that trust on a case-by-case basis, and you should be very sceptical whenever you are asked to provide this information.
And most important: don’t trust emails. They are not secured, publicly available, and too easy to fake. Do yourself a favor and ditch emailing altogether. Here it should be noted that I am very fond of emailing. But lately, it simply have become a graveyard of spam and uninteresting notifications from companies I care nothing about.
A tip for the paranoid: only fill in forms using your browser’s incognito/private browsing mode. (Opera haven’t got that yet. Better use Tools>Delete Private Data for the time being).