Who falls for this crappy BofA phishing scheme?

OK, I have gotten some clever email scams in the past. I have received lots and lots of “word salad” scams recently, too, like “Parsley indigenous blogger obfuscate!”. But this, by far, is the most incompetent phishing scam I have ever received.

Subject: Notice: Your Online Is Bloked From: “Bank Of America” Date: Tue, January 2, 2007 14:26 To: matthew@… Priority: Normal Mailer: Microsoft Outlook Express 6.00.2600.0000

The content: this image. The site linked to: http://www.lung.org/boa.html

Note: It’s possible the above image may not show up at some point in the future because of this scam. If you arrive too late to see the image, it’s an obvious screen shot of a Bank of America web page saying “You Online Banking is Blocked”. The reason it’s so obviously a screen shot is that it’s an 8-bit GIF image, with really, really bad dithering. I mean, horrible. It looks like a screen shot of a CGA monitor or something. It’s barely readable.

I know P.T. Barnum said “There’s a sucker born every minute”, but do these absolutely inept phishing attempts actually work? On anybody? Ever?

I’m very irritated at the volume of spam wiggling its way past my filters lately. What about you?

5 thoughts on “Who falls for this crappy BofA phishing scheme?”

paul@murphymaphia.com says:

January 3, 2007 at 10:25 am

I thought….

I thought for a brief moment that this was going to be a Book of Abraham post. Phishing, indeed.
TimClarkeJr says:

January 6, 2007 at 5:22 am

Spam of a different flavorr

I’ve recently dedicated way too much time on the phone with my members who have responded to a bit of e-mail spam that was targeting midwives. I had seen the same spam at all my work addresses (clever spammers they are) and rightly deleted. But within days, I am hearing that some of my folks out there in (forgive me) flyover states had actually responded (with money) to the appeal. So, there I was, writing blast e-mails (is that spam, too?) to the membership and posting notes on our site, once again educating 5000 midwives on how to spot spam in their in-box (ask yourself, do you know anyone in the UK, and if not, delete the e-mail for crying out loud!) and what to do about it afterwards. I’ll link to what I posted on our site as guidance – http://www.midwife.org/about.cfm?id=1021.

That’s nothing compared to the 2000 spam e-mails in the junk mail filter when I got back from 15 days of vacation.

So, here’s my question for the techies here – what’s the real solution? Clearly it seems government intervention is not an impediment to spammers. Tech solutions are killing small businesses due to costs (and small associations, I’ll admit, are feeling the $$$ bite, too.) I’m interested in hearing what you think.
1. rowan says:
  
  January 6, 2007 at 7:48 am
  
  Unfortunately, there’s
  
  Unfortunately, there’s always going to be spam out there. It’s a fact of internet life.
  
  However, there are a number of spam solutions that are not very cost-prohibitive. We make use of a very good spam service that costs something like 3$ a month per email address.
  
  It’s worth it to put the money into a spam blocker. When you consider that on average, 75% of the mail sent to your address is spam, the time that it would take you to clear out your inbox every day would cost you more than the money you spend up front to implement a filter.
  
  That being said, some spam will still find a way to get through, so unfortunately the users themselves must be educated as well.
2. matthew says:
  
  January 6, 2007 at 8:40 am
  
  The tragedy of the Commons
  
  The spam problem has been rightly compared to the Tragedy of the Commons. Given a finite resource owned in common, all of those who participate in the commons will tend to act in their own best interest, which will lead to the destruction of the commons.
  
  The canonical example is common grazing land. The value of adding an animal to one’s herd is equal to the value of that animal. The cost to the individual is the cost of the animal divided by the number of individuals who have a stake in the common grazing land.
  
  The spam problem is magnified by the number of people participating in this particular “commons”… in this case, almost a billion people. The utility of sending a spam mail is the value to the individual sending it. Just a few people buying your product, or falling for a phishing or 419 scam, is more than enough to pay for the trivial cost of an Internet connection and “bullet-proof hosting” provider. The cost of sending the mail is minuscule, particularly considering the number of people a spam mail is typically sent to.
  
  I predict that email as we know it will die. Spam-blocking software catches a lot of legitimate mail. Whitelist systems require users to jump through hoops. Eventually, to correspond with a new person, I predict that pretty much everybody is going to have to go through a type of “Turing Test” to determine if they are human and sending a person-to-person mail. They’ll have to do something that will drive the cost of doing business up for the spammer.
  
  I already do this on barnson.org for my mail. I recently turned it off, as I’m attempting to make the system work in a trivial way for non-geeky users here, but it’s the only solution I’ve found to managing my spam. It’s called “TMDA“, and without it, I receive in excess of a hundred spams per day. With it, none of them sneak through, except from those few spammers willing to use a legitimate email address and jump through a delivery hoop.
  
  The downside? It’s a little-used system, and I frequently have to retrieve email from my “potential spam” folder from people who think that the return mail they receive from me is, itself, spam, or don’t want to bother to read what is obviously an automated email. Which means that I *still* have to comb through my spam periodically to determine if something important landed in there. I use my email a lot, and people only have to do this the first time they correspond with me… I only get an email I care about stuck in that box once every 2-3 months.
  
  For a small organization such as your own, a single Linux PC acting as a “gateway” with a mammoth hard disk drive (bigger than, say, 80GB) would do the job easily. Basically, for every email sent to your organization, it would generate a return mail asking that the sender simply reply to this automated mail in order to have their mail delivered. If they reply, the email is delivered. If they don’t, the email sits in a queue for two weeks waiting for a response. Usually, you set up TMDA so users can view their spam queues and determine if any legitimate mail has gotten stuck in there. The amount of time the mail waits is also configurable. It’s a simple solution, and only works because the cost of replying to a verification email is too high for 99.999% of spammers. They have to use false email addresses, so the verification mail doesn’t go anywhere. If they use a legitimate address and actually reply to the mail (as a few do), you have just figured out where they are coming from and can file a complaint with their ISP.
  
  —
  Matthew P. Barnson
3. Wandering Moose says:
  
  January 17, 2007 at 5:37 am
  
  You mean…
  
  You mean that the prince in Nigeria didn’t loose his father and won’t be transfering me the vast fortune that they have built?
  
  Man… doesn’t that blow.

Comments are closed.