Spam And Social Engineering

(Please see a subsequent post on this: Apologies for getting it wrong and thanks to everyone for writing in)

Spam always surprises.

This morning I got an HTML email from seemingly credible email address with just one line in it: http://drs.yahoo.com/jeremywagstaff.com/NEWS

Hmmm, I thought, my name! I was almost going to click it, but then decided to forward it to Daniel McNamara, who monitors this kind of thing on his website Code Fish. He called it “really weird porn spam”. The link in the HTML in fact goes to:
http://drs.yahoo.com/jeremywagstaff.com/NEWS/
*http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/
jeremywagstaff.com/NEWS

My browser, Daniel says, will ignore anything before the * so the remaining link is:
http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/#http://drs.yahoo.com/
jeremywagstaff.com/NEWS

Everything after the # symbol is just an internal page reference so we can ignore that as well, leaving: http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/

Daniel says going to that page will redirect us to:
http://www.security-warning.biz/personal6/maljo24/
www.YAHOO.com/terra.html

Buried in that page is a small graphic that is a simple counter. This page then opens a pop up window that goes to Danni’s Hard drive (apparently a well known porn site). Daniel writes: “This redirect includes the linker’s ID so they get cash from Danni’s for each referal. So, weird but effective. They don’t care if you hang around on the site just that you followed the link and made them money.”

Ugh. One final point from Daniel: The spam script inserts the recipient’s domain into the link to make it appear more relevant – in this case, jeremywagstaff.com. It was nearly enough for me.

A good example of how social engineering doesn’t need to be fancy to work.

Comments are closed.

Disclaimer

All opinions are my own, and not necessarily those of Thomson Reuters.

Reference

Categories

RSS loose wire blog