Previous month:
August 2013
Next month:
October 2013

September 2013

Is it Spam? This week in 419 (Advanced Fee Fraud) Spam

In a previous post, I share that I assume that nearly email I receive that even hints at having a commercial message is spam. This week I've seen lots of 419 also called Advanced Fee Fraud spam.

I've previously explained one kind of advanced feee fraud in an earlier post. Typical advanced fee frauds explain how you can receive a windfall payment in return for assistance and a modest fee. One such scam in my spamtrap provides a classic example:

Several recent frauds in my spamtrap are straight-up identity theft scams. These ask you for your personal information so that funds or an account can be transferred into your name.

These scams contain Subject: lines that often seem to be the formal greetings one typically sees in correspondence delivered by the postal service:

My beloved in Christ,

Great News, You are Advised to Stop Contacting Them


and contain references to International agencies:

InternatioMonetary Fund (IMF)

International Reconciliation and Logistics Vault

United Nations Office Of International Oversight Services (OIOS)

In my earlier post, I explain how to collect data to confirm these are spam. For these scams, I beg you to always remember to NEVER trust an email that asks for personal information of these kinds:


In the next screen shot, you can see how scammers may try to dissuade you from sharing their correspondence with anyone because the more eyes that see the message, the more likely someone will recognize it as a scam.

If you have any suspicion that an email you received is a 419 scam, DO NOT reply. DO NOT send any personal information. DO NOT contact the party by telephone. To learn more, begin here.


New APWG Global Survey Explores Phishing Trends and Name Use in 1H 2013

Greg Aaron and Rod Rasmussen's biannual Global Phishing Survey for 1H 2013 has some interesting findings. For me, the most striking and worrisome include:

Shared Virtual Server compromises accounted for 27% of all phishing attacks. Attackers are targeting and compromising  servers that hosts large numbers of domains. The attackers exploit the server configuration to install their phishing pages at every hostname (domain) that is being operated from that server. The efficiency of this form of attack is striking: by compromising 115 servers, attackers were able to launch 19,445 phishing attacks!

Phishers are attacking more brands, and attacking certain brands with startling frequency. In 2H2012, phishers targeted 611 brands but in 1H2013, they attacked 720. Half of the targeted brands were attacked multiple times, and the top 80 were attacked over 100 times each.

After "historic" lows in 2012, phish page up-times increased dramatically, from just over 26 hours in 2H2012 to over 44 hours in 1H2013.

The use of malicious registrations (domain name registrations made specifically for criminal purposes) doubled from 2H2012. Sixty-eight (68%) of malicious registrations were Chinese phishers targeting Chinese targets but mostly often using top level domains  other than .CN. The authors report that,

"Almost 82 percent of the 12,173 malicious domain registrations were made in just three TLDs: .COM (6,477), .TK (2,801), and .INFO (655). The .COM registry has no anti-abuse program. The .TK registry offers free domain name registrations. It also gives accredited interveners the ability to directly suspend .TK domains in the registry. (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) While this speeds takedowns, it does not prevent phishing from occurring. The .INFO registry operator has an abuse response program, but the TLD remains inexpensive compared to others, a factor which has historically attracted abuse." 

RegistrarAsia-Pacific registrars dominate the top phishing registrars by malicious domain score. Four of the top five operate from China. The authors note,

"Chinese registrars continue having difficulty keeping miscreants from registering gTLD domains via their services. The use of Chinese registrars is disturbing, and the authors recommend that Chinese registrars implement the APWG’s “Anti-Phishing Best Practices Recommendations for Registrars."

I'd encourage these registrars to consider practices recommended in SAC 040, Measures to Protect Domain Registrations Against Exploitation or Misuse.

The Report contains many other interesting statistics that will help you understand the current state of global phishing. I encourage you to consider downloading and comparing prior biannual reports, also available at APWG, to see how phishing is evolving.