Back to previous post: The Angry Sea

Go to Making Light's front page.

Forward to next post: Elections 2013

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

October 29, 2013

Looking Warily at Mal
Posted by Jim Macdonald at 07:52 PM *

Today’s email brought this:

From: “”
Subject: order #AAR-5018964-8346289
Date Sent: Tue, 29 Oct 2013 05:59:12 -0700 (PDT)
Date Recd: Tue, 29 Oct 2013 08:04:21 -0500

[Full headers omitted — letter came via Yahoo Mail from somewhere in Israel if I’m reading the IPNs right]

Good afternoon, Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Order Details Order #AAR-5018964-8346289 Placed on October 26, 2013 Order details and invoice in attached file. Need to make changes to your order? Visit our Help page for more information and video guides. We hope to see you again soon.


Yep, an attachment. I wonder what’s in it?

To answer the insatiably curious, it contains an executable called Order details.exe with a file size of 69,120 bytes. Which I’m not curious enough about to run.

It turns out that quite a number of letters like this have been going around lately; the order number is different each time, and the supposed address is different each time. Sometimes it starts “Good morning,” other times “Good afternoon,” and yet other times “Good evening,” but they’re all supposedly from even has a link up on their main Help page, Unexpected E-mail From

From other reports on the web from folks who did open the attachment and click on the link, it takes you to a supposed page where they ask you for your email address, account name, password, banking information, and such. Which doesn’t mean that it didn’t drop a ton of malware too.

So: Stay safe and be suspicious of unexpected letters containing links or attachments.

Comments on Looking Warily at Mal:
#1 ::: SummerStorms ::: (view all by) ::: October 29, 2013, 08:28 PM:

Thanks for the heads-up. Also, shared elsenet.

#2 ::: MRS MIRIAM ABACHA ::: (view all by) ::: October 29, 2013, 08:36 PM:


(It looked like the Preview worked, and then my browser crashed when I hit Post; you guys are really proactive!)

#3 ::: Clifton ::: (view all by) ::: October 29, 2013, 08:44 PM:

I've been getting bombarded for the past week or two with malware spam with subjects like "Saw your photo", "Is this your picture?" etc. with mighty suspicious looking attachments. On some days I think I've been getting as many of those as all my other spam put together.

Today's new fun was a text on my cellphone telling me my VISA has been suspended, and please call an (apparently local) number to talk to customer support. Yeah no. When I find time, however, the local police department may get a call about it.

#4 ::: Bill Stewart ::: (view all by) ::: October 29, 2013, 08:50 PM:

Given the title, I'd been expecting a critical commentary on Firefly :-)

One of the projects I have to implement soon at work is trying out the malware tracking feature on the product I support; it calculates file hashes for email attachments and http/ftp downloads, checks with the vendor's cloud server to see if they're known bad or known good, and lets you track where they've gone within your company so you can hunt them down if you need to.

I usually don't see many actual malware emails, because either my ISP or my work mail system filters them first, but a few do get in. And I looked at a recent "Google Recruiter" email pretty carefully to see if there were any http links pointing to suspicious places and couldn't find any, so it could have actually been somebody cold-emailing Linked-in friends-of-friends or something.

#5 ::: Naomi Kritzer ::: (view all by) ::: October 29, 2013, 09:12 PM:

The really exciting malware that's apparently trying to get you to open attachments right now is the one that encrypts all your files and holds them for literal ransom. (If you fork over several hundred dollars in BitCoin or another untraceable form of currency, they'll decrypt them again.)

#6 ::: Lee ::: (view all by) ::: October 29, 2013, 09:39 PM:

I've seen something with the heading "FW: acta" twice in 2 days -- yesterday on a friend's (apparently hacked) Twitter account, and today on an e-mail list, presumably from a compromised e-mail somewhere. The body just contains a link, of the sort that's all a jumble of letters and numbers. Click it? I don't THINK so.

#7 ::: C. Wingate ::: (view all by) ::: October 29, 2013, 09:54 PM:

I got one claiming to be "a prophecy from Prophet Manasseh".

#8 ::: Clifton ::: (view all by) ::: October 29, 2013, 10:57 PM:

Naomi @ 5: Somebody decided to take Neal Stephenson's Reamde as an instruction manual rather than a thriller? I hope they end up with a bunch of pissed-off Russian mobsters after them.

#9 ::: Andrew Plotkin ::: (view all by) ::: October 29, 2013, 11:40 PM:

Naomi Kritzer@5:

The thing about that one is that why would you believe that you would actually get your files back after one payment? And if you *don't* believe the message, it's just a trojan that destroys your files. Not a new concept at all.

(I have heard the story about this thing, but have no idea whether it's real. Either way, my response is the same.)

#11 ::: xeger ::: (view all by) ::: October 30, 2013, 12:47 AM:

Bill Stewart @ 4 ...
Given the title, I'd been expecting a critical commentary on Firefly :-)

You're not the only one :D I've just been re-watching bits of Firefly, and was wondering if Jim was reading my mind.

#12 ::: pericat ::: (view all by) ::: October 30, 2013, 01:19 AM:

Latest bit of phishing here was an email asserting my Dropbox password had been flagged as 'dangerous' and I should change it via the handy link right here ja you betcha.

Malware on a website almost caught me last week, though, because I was stressing out over needing to d/l a dearchiver in a hurry, and almost-but-not-quite clicked the OK to install all kinds hlepy toolbars and heck knows what else.

At that point I decided I was too stressed to continue, and should do something else. Like breathe for a while. And run a virus check.

#13 ::: Zora ::: (view all by) ::: October 30, 2013, 02:07 AM:

When you visit the dark alleys of the net, danger lurks. I was looked for pirated ebooks and ended up on a site that promised me all of a certain author's works if I downloaded an .exe file. Um, no thanks.

I would like to be legit, but the local library offers little in the way of ebooks. I can't use Oyster because my antiquated iPod Touch (used as an ereader) can't run the latest iOS; that's what the Oyster app requires.

#14 ::: Josh Berkus ::: (view all by) ::: October 30, 2013, 03:27 AM:

Bill @4:

FWIW, we went to see "Jaynestown Live", a Firefly stage play, last week and it was freakin' hilarious. We laughed so hard I got dizzy. Sadly, the run is ended, so you can't go see it now.

For my part, I seem to get mostly stock market spam right now. It's quite elaborately done; random stock "tips" sent via any of a million zombie malware-infected Windows machines, randomly selected. Quite impossible for me to block, since there's no pattern at all in sender, routing, or subject.

How long before someone figures out that this kind of spam could be an effective means of political propaganda? Shall we start a betting pool?

#15 ::: Dave Bell ::: (view all by) ::: October 30, 2013, 04:25 AM:

While it's almost totally unrelated, Amazon is selling so much stuff, from so many places, that they make an opportunity for such tricks. It isn't always obvious, when you buy something, just where it is delivered from. A company trading name, but not a location. I have had a genuine letter warning me that delivery would be delayed because of a public holiday in the particular country.

It wouldn't be hard to put together something such as that, with some stuff about canceling the order if you act quickly, and inviting people to click on the attachment.

"You made an order to us through our UK agents, who sell via Amazon and other sites. Because of a fire at our factory, this order will be delayed by 20 working days. If this delay is excessive for your purposes, you may cancel the order. The refund will come through our insurance company, and you should click here to make the cancellation."

Yes, I am evil. And insurance doesn't work like that.

#16 ::: Dave Bell has been gnomed ::: (view all by) ::: October 30, 2013, 04:27 AM:

The post contained a passage that looks like a horribly plausible malware delivery attempt.

#17 ::: Mongoose ::: (view all by) ::: October 30, 2013, 05:47 AM:

This kind of thing makes me really glad I'm running Linux. Apparently the malware referred to by Naomi @ 5 attacks Word and Excel files.

#18 ::: mjfgates ::: (view all by) ::: October 30, 2013, 07:05 AM:

Josh Berkus@14: Do the endless right-wing chain letters my stepsister forwards around count as "spam?" I think they do.

#19 ::: Fragano Ledgister ::: (view all by) ::: October 30, 2013, 07:51 AM:

Mrs Miriam Abacha #2:

I go contact you just now. First I must chop breakfast with my friends in Owerri, then we go buy some wash-wash chemicals for the $US 20 million we have in a steamer trunk for your esteemed attention.

#20 ::: --E ::: (view all by) ::: October 30, 2013, 09:57 AM:

We just got a warning email to everyone at my employer that similar things are coming from addys that claim to be UPS, FedEx, etc.

#21 ::: Steve with a book ::: (view all by) ::: October 30, 2013, 01:41 PM:

Metafilter pointed me a few days to the YouTube channel of rogueamp, who usefully dissects malware and ransomware (occasional mild NSFW audio / visible text). Have only looked at a few of these, but this 'review' of software that laughs at you, horribly, is instructive if you have ten minutes spare.

#22 ::: eric ::: (view all by) ::: October 30, 2013, 02:24 PM:

I got one that claimed to be a WhatsApp voicemail notification.

I think this is from the recent massive adobe breakin, since the email address it came to was tagged with adobe.

#23 ::: Mongoose suspects French spam ::: (view all by) ::: October 30, 2013, 03:08 PM:

Steve @ 21: software that laughs at you. Oh dear. That reminds me of something that happened on my last computer.

My last computer, like all but one of the machines I've ever owned, was second-hand. It was also less predictable than most, because I usually got old machines from geeky friends, whereas this one came from someone I used to work with. Rather than reformatting the hard drive, they'd left various software on it that they thought might be useful, and I took the path of least resistance and left it as it was.

Consequently it had a number of glitches, the most annoying being that I couldn't turn off the sound on some piece of software which was supposed to allow you to do that. I don't care for random dings and beeps, so what I used to do was keep the system sound turned off except when I specifically wanted to listen to something, such as a video upon the Tube of You.

Well, after I'd owned this thing for a short time, I noticed that whenever I turned the sound on, it would belch at me at intervals of about ten minutes (give or take; there was definitely a random element). This was distinctly irksome, especially if I was trying to listen to Purcell. I did all the normal malware checks and scans you do with Windows (which is what I was running at the time), and they produced nothing, so I tried some rather more obscure measures. Still nothing. No matter what I did, the wretched machine still belched.

By this time I was convinced I was dealing with an infernally clever piece of malware, and had taken to various paranoid subterfuges to confuse any keylogger that might have come bundled with the burper. Then, one day, I came home from work, switched on the computer, saw that someone had linked a music video with a stationary background, put that on to listen, and went off to the Garfield Games site in another tab to go and play parcheesi. (You may laugh, but I needed something to keep me sane at the time, and parcheesi worked quite well because I was good at it without having to use a lot of brain power.)

And Garfield, who sits at the top left of the screen and watches you play, suddenly belched.

I'm still the sort of person who keeps a lot of tabs open all the time. But I no longer play parcheesi with Garfield.

#24 ::: Mongoose is a clodpoll ::: (view all by) ::: October 30, 2013, 03:09 PM:

Aaaargh. I am so sorry. I can't believe I did that yet again. No spam!

#25 ::: Nadya ::: (view all by) ::: October 30, 2013, 03:31 PM:

Bill @4 - I thought the same. Mal makes me think of Captain Mal, before malware, which is a happy set of priorities if I do say so.

#26 ::: Xopher Halftongue ::: (view all by) ::: October 30, 2013, 03:42 PM:

Mongoose, while I'm not sure exactly what a clodpoll is, I'm willing to go out on a limb and say that you're not one.

Is that the same word, essentially, as 'clotpole'? That one popped up in Merlin. It was spelled that way in the captions, which I suppose doesn't actually mean it was spelt correctly.

#27 ::: Steve with a book ::: (view all by) ::: October 30, 2013, 04:35 PM:

Mongoose@23: I have a talent for accidentally coaxing annoying sounds out of supposedly-silenced office computers. (One of my perl scripts chatters away to standard output in a DOS terminal window, ASCII BELL character slips through...)

#28 ::: Lee ::: (view all by) ::: October 30, 2013, 05:04 PM:

eric, #22: I got a couple of those too. I thought it was because I had just activated a smartphone, but perhaps not.

Xopher, #26: Split the difference? Every time I've seen the word used (which is mostly in Regency romances), it's been spelled "clodpole". From context, it's roughly synonymous with "dolt".

#29 ::: Dave Harmon ::: (view all by) ::: October 30, 2013, 05:18 PM:

Steve with a book #27: Heh -- I used to work for a company that wrote device drivers, for mice and other pointing devices. One of our tricks was to have the debug builds click the speaker on one of the interrupts, either a polling interrupt (yielding a steady hum) or the data interrupt (buzz when you moved the pointer).

#30 ::: fidelio ::: (view all by) ::: October 30, 2013, 05:23 PM:

With regard to "clotpole/clodpole": Try "Clodpoll" instead, with "poll" = "head".

#31 ::: Serge Broom ::: (view all by) ::: October 30, 2013, 05:42 PM:

"I aim to misbehave."
- Mal

#32 ::: Clifton ::: (view all by) ::: October 30, 2013, 06:19 PM:

I get the WhatsApp voicemail things regularly, to an email address that's not linked to any phone as far as I know. I was assuming they were simply spam trying to get me to sign up to some crappy service; it hadn't occurred to me they could be malware, but it seems possible now that I think of it.

#33 ::: Alan Hamilton ::: (view all by) ::: October 30, 2013, 06:33 PM:

I've gotten a Twitter phish several times, where someone you know sends you a private message like "LOL Check out this picture of you" and a link. The link goes to a page that looks like a Twitter login.

Yeah, it's not. It just uses your info to hack your own account and phish all of your contacts.

#34 ::: Dave Harmon ::: (view all by) ::: October 30, 2013, 06:39 PM:

I've gotten one purporting to offer me a file from a relative on GMail's Dropbox (or whatever they're calling it). The funny part was I found it so suspicious up front, that I just picked up the phone to call her, without even bothering to look at the return address. Which was her address at Hotmail.... (Of course, I wouldn't be replying to a suspicious message by E-mail, anyway!) And yeah, her account got hacked.

#35 ::: Jacque ::: (view all by) ::: October 30, 2013, 07:07 PM:

Some party of miscreants is doing their everloving best to hack Panix with phishing emails. I've gotten a half-dozen attempts in the last week or two. Email comes in (to my Panix mail box, right!) with the subject line "You've got one new message." Then serves up a link to a plausible fake of Panix's webmail service, but points to a server in Thailand.

Have shared a few chuckles with Panix user support. ("What? You've moved your offices to the Czech Republic!?" "Oh, wait, you're in Senegal now?")

#36 ::: Mongoose ::: (view all by) ::: October 31, 2013, 05:29 AM:

Xopher @ 26: kind of you, but I am, rather, at the moment. I'm expecting normal service to resume if I can manage to land a job. Unemployment is knocking holes in me, mentally.

fidelio @ 30 is correct: "poll" = "head" (as in "redpoll" and similar words). I love this word. I'm not given to insulting people much other than myself, but if one does need an insult I think this is an excellent one. It appears in Twelfth Night; from memory, the context is that Sir Toby Belch is telling Fabian that Sir Andrew Aguecheek's letter can't be delivered as it stands, because the recipient "will know it comes from a clodpoll". Harsh but fair, in that particular case.

#37 ::: Dave Bell ::: (view all by) ::: October 31, 2013, 05:47 AM:

As a general thing, whether on the internet, or over the phone system, there is getting to be too much intrusion, honest or otherwise, trying to get you to buy stuff.

Too often, the companies involved seem to be breaking the law, and the official bodies concerned are ineffective. On the telephone system, there are options provided by the telco to callers which make it impossible to pin down where the suspect calls are coming from.

The only people with a chance of identifying the crooks seem to be the NSA, and do they care?

Maybe I should try to promote the meme that telephone sales calls with a withheld number and a foreign accent are terrorism.

Meanwhile, I try to remember that the poor sod on the other end of the line is trapped between an annoyed potential customer and an often abusive company management, in a world where leaving a job is almost a crime, and I wonder why companies want to do their customer relations on the cheap. This whole business is so easy for the malicious to abuse with fakery, and suggests that corporations value neither the skills of their employees nor the goodwill of their paying customers.

The plausibility of the scams depends on the way we have become accustomed to do business. It is as if we believe we are always dealing with crooks, and no longer care.

#38 ::: Steve with a book ::: (view all by) ::: October 31, 2013, 08:37 AM:

Dave Bell@37: there's been a lot of guff recently about making it easier to switch utility providers and bank accounts; this is pushed as being a boon for the consumer but inevitably it'll mean more and pushier telesales calls. The recipient of such a sales call has little idea whether the caller is who he/she claims to be—the security model for telesales is borked beyond redemption. Anti-fraud teams in banks must be aware of how bad it is to expect call recipients to guess the probity of callers on next to no evidence; when they raise this issue I wonder whether they just get the response 'but Marketing! We need to cold-call customers because of Marketing!'

#39 ::: Mary Aileen ::: (view all by) ::: October 31, 2013, 09:03 AM:

Because of the national Do-Not-Call list, I can pretty well figure that any sales call I get is a scam. Or a political ad. I do understand why politicians are exempt from Do-Not-Call, but I really, really wish they weren't.

#40 ::: PJ Evans ::: (view all by) ::: October 31, 2013, 10:41 AM:

I get robocalls (which are scams - they don't generally tell you up front who they're from, which is the law), political polls, and calls generally from boiler-rooms. If it's a live person, I'll usually tell them 'no thanks' before I gently hang up.

#41 ::: Mary Aileen ::: (view all by) ::: October 31, 2013, 11:16 AM:

P J Evans (40): I tell all the live humans, "Put me on your do-not-call list."

Except for the guy who said he was calling from "Windows" "about a problem with your computer." In that case I just said, "No, you're not, you liar," and hung up.

#42 ::: Mongoose ::: (view all by) ::: October 31, 2013, 12:18 PM:

I'm just waiting to get one of those fake-Microsoft scam calls. I know what I'm going to do if it happens.

"Ah," I shall say brightly, "I'm glad you rang. I've just updated my Ubuntu distribution from Raring Ringtail to Saucy Salamander, and I'm having a bit of a problem configuring grub-pc. It doesn't seem to want to install anywhere. Can you help?"

#43 ::: Lee ::: (view all by) ::: October 31, 2013, 12:38 PM:

Dave B., #37: In America, one of the reasons enforcement (especially of things like the Do Not Call List) is so ineffective is that Republicans have consistently shorted the enforcing agencies in the budget as part of their ongoing campaign to convince people that Government Can't Do Anything Right And Should Be Abolished. There are a number of such things that I wish Obama had chosen to address, which wouldn't have cost much in the grand scheme of things but would have made life significantly more pleasant for a number of people and therefore affected their perception of who's lying here.

For people in America who are profoundly annoyed with telephone spam, I do have a couple of recommendations.

The first one is Phone Tray Pro, which works with your computer and your landline to give you much more control over who can reach you. Incoming numbers show on your computer screen and can be immediately looked up online; you can set ID information for people you know and submit spam callers to their online database -- and calls from numbers in that database simply don't ring thru to you at all, or do so only once before being stopped. It also provides a variety of messages which can be assigned to play for a blocked number. The default is the standard telephone-company "This number has been disconnected or is no longer in service" message (excellent for discouraging telemarketers, as much of the auto-dialing equipment will stop trying to call a number on which it has gotten the disconnected tones), but there is also a "No Telemarketing" message, a "Not accepting calls from this number" message, and even Gandalf proclaiming, "YOU SHALL NOT PASS!" among others.

For smartphones, I've so far been quite happy with the Advanced Call Blocker app. I think it must also have a database of known-spammer numbers, because the number of spam calls to my cellphone has dropped since I installed it. But IMO the best thing about it is the ability to block the number that just called you; doing that goes a long way toward mitigating the annoyance (at least for me) because of the "Take THAT, you asshole!" factor.

Mary Aileen, #39: Political calls that come to our landline get immediately blocked, but not reported as spam to the national list. Ditto charity fund-raising solicitations. We don't believe in Special Snowflake Exemptions from the DNC list.

#44 ::: Xopher Halftongue ::: (view all by) ::: October 31, 2013, 01:48 PM:

Mongoose 36: Xopher @ 26: kind of you, but I am, rather, at the moment. I'm expecting normal service to resume if I can manage to land a job. Unemployment is knocking holes in me, mentally.

You and me both, my friend, you and me both.

#45 ::: dcb ::: (view all by) ::: October 31, 2013, 02:01 PM:

Steve with a book @38: Re. banks (and credit card companies), the big problem I have is this: person telephones you on your house phone or mobile, asks for you by name. You confirm that's who you are. They then say that they are from [your bank] or [your credit card company] and they want to talk to you about something - but that they can't even tell you what the call is about until you confirm your identity by answering some security questions. Hold on a minute, -you- called -me-. I have no idea who you are and no way to confirm your identity, but you want me to give to you all those details - date of birth, mother's maiden name, etc. etc. which you could use to hack my identity? I don't think so. So, I have to go to the expense of calling my bank/building society, to ask them if it's something important, like someone apparently hacking my credit card or debit card (and it has been, on two occasions).

So, they say that they want us to be security-conscious - but they also want us to divulge our security information over the telephone to an anonymous caller, and they can't be bothered to set up a security question which the customer could ask and the bank/credit card employee would have to answer to confirm identity... It's crazy.

#46 ::: Nancy Lebovitz ::: (view all by) ::: October 31, 2013, 02:29 PM:

Does anyone remember the title of the Sheckley story about aliens using fake consumer goods to fish for people?

#47 ::: Mongoose ::: (view all by) ::: October 31, 2013, 02:51 PM:

Xopher @ 44: *fist bump of solidarity*

Let us look forward together to the day when the economy isn't sucking so hard you can measure its Schwarzschild radius.

#48 ::: Lila ::: (view all by) ::: October 31, 2013, 04:18 PM:

Nancy Lebowitz @ #46, I don't know the story, but that reminds me of this.

#49 ::: Jeremy Leader ::: (view all by) ::: October 31, 2013, 04:34 PM:

dcb @45: I don't know about phone calls, but several large financial organizations I deal with have set up a way to pick a distinctive individualized image or phrase which they will display during the login process, as an anti-phishing measure. In other words, if I go to log into my bank and don't see a particular stock image that I chose from their collection of images, accompanied by a nonsense phrase I gave them, I know it's not really them. I don't see why they couldn't do something similar on the phone.

#50 ::: D. Potter ::: (view all by) ::: October 31, 2013, 04:59 PM:

Jeremy Leader @49: Something like "The flagon with the dragon has the pellet with the poison, but the vessel with the pestle holds the brew that is true?"

#51 ::: dcb ::: (view all by) ::: October 31, 2013, 06:19 PM:

Jeremy Leader @49: I've suggested it. Repeatedly. So far they've ignored the suggestion. Maybe I should ask the "Moneybox Live" show on Radio 4 to take it up.

#52 ::: Dave Bell ::: (view all by) ::: October 31, 2013, 06:39 PM:

My finest hour was, when called by a fake Microsoft worker about a virus, telling the guy that my computer's IP address was, hearing silence for a moment, and then getting a stream of foul-mouthed and unimaginative abuse. I like to think he fired off his malware package to that address, but I don't think the timing was plausible.

#53 ::: Lee ::: (view all by) ::: October 31, 2013, 07:26 PM:

Jeremy, #49: That's the PassMark system. The bank that I was happy with not only used it, but they implemented it before they had any sort of password-hacking problem. I think it's probably the most secure access system currently available, and it makes me a little sad that my credit union doesn't use it. OTOH, every time I go to log into my credit union account online, it goes thru a verification process that involves sending me a security code by e-mail or text message. It's a bit more cumbersome, but nearly as good; someone trying to hack my account from outside isn't likely to have access to either of those, and I don't store my ID or password information on my cellphone.

Dave B., #52: Bravo!

#54 ::: Fragano Ledgister ::: (view all by) ::: October 31, 2013, 07:37 PM:

Mongoose #36: I spent several years of my life herding Jamaica Red poll cattle (we called them "pollhead cows"). They're a breed developed for West Indian conditions out of English redpolls and Zebus. (called Brahmins in the West Indies). They were my father's herd, and noticeably stubborn animals, except for one very sweet-tempered cow that would eat mangoes out of our hands. So, naturally, some jackass shot her in the nose while trespassing on our farm to hunt birds (of, apparently, the low-flying variety).

#55 ::: Chris ::: (view all by) ::: October 31, 2013, 09:27 PM:

I recently dealt with an attempt at work. Boss got a "your fedex account information needs to b updated click here" mail, and forwarded it to me, since I handle all dealings with FedEx. I took one look at it, and noticed the following features:
1. Sender was at a .ca domain that was one letter off from "fedex".
2. Spelling, inadequacy thereof.
3. Punctuation, total lack thereof.
4. Link to domain I'd never heard of, with "fedex" at the very end of the URL.
Conclusion: pathetic attempt at phishing. Delete with prejudice.

#56 ::: Chris has been gnomed ::: (view all by) ::: October 31, 2013, 09:29 PM:

Discussion of phishing, with quote that no doubt looks like phishing.

#57 ::: Henry Troup ::: (view all by) ::: November 01, 2013, 12:03 AM:

A sample recently claimed to be from the police of a large country in Africa. Purportedly, there would be refunds for those already swindled if they would reply, with their banking details.

I'm torn between admiration for the technique, and anger at the perpetrators. With a dash of speculation about how effective it might be. "Fool me once, shame on you. Fool me twice, shame on me."

#58 ::: Andy ::: (view all by) ::: November 01, 2013, 01:46 AM:

Henry @57 - I've heard a variant of that. "Once bitten, twice shy, three times stupid"

#59 ::: Rob Rusick ::: (view all by) ::: November 01, 2013, 02:07 AM:

Nancy Lebovitz @46: Does anyone remember the title of the Sheckley story about aliens using fake consumer goods to fish for people?

I do remember the story. I did a little googling around, and although I did not find a online link, I did find it was called (not surprisingly) Fishing Season and it had been reprinted in his collection The People Trap.

#60 ::: Mongoose ::: (view all by) ::: November 01, 2013, 08:33 AM:

Fragano @ 54: I hope you caught the malefactor. I didn't actually know a redpoll was also a cow; the only redpoll I know of is a bird.

#61 ::: Fragano Ledgister ::: (view all by) ::: November 01, 2013, 09:06 AM:

Mongoose #60: Sadly, we didn't catch the idiot.

As to Jamaica redpolls see here:

#62 ::: CHip ::: (view all by) ::: November 01, 2013, 11:26 AM:

Clifton @ 8: it wouldn't be anywhere near the first time somebody has tried to make real life imitate art; Gaiman got some crap a dozen years ago after somebody tried to replicate the night-deposit repair scam from American Gods, which apparently originated with him.

Dave Bell @ 37: companies do CR, TS, etc. on the cheap because they think it doesn't cost them -- or that they won't pay additional health premiums for the ulcers this policy can give the people who actually make what the company sells. (Yes, I'm bitter; I spent >15 years as front engineer for an API for a large system, and had frequent fights with TS over the fact that they didn't make sure their reps for this functionality could do anything but copy the customer's mess to me.)

Fragano @ 54: I suppose #60 means you don't know whether the idiot also bagged two game wardens and seven hunters....

#63 ::: Dave Harmon ::: (view all by) ::: November 01, 2013, 03:04 PM:

Henry Troup #57: I think that one got covered in Teresa's last roundup of that scam type. In any case, it's long since become clear that most of these guys know they're bottom-feeders, and they craft their letters so the only folks who will respond (and take up their time) are the truly gullible. Notably, this includes those folks with judgement compromised by organic conditions (senility, stroke, etc.) or social conditions (desperation, poor education, knock-on effects of poverty...).

#64 ::: Mongoose ::: (view all by) ::: November 01, 2013, 04:01 PM:

Dave @ 63: or those who are new to the Internet. I think there ought to be a website with all the relevant information for "new bugs", as Molesworth would call them. You know, stuff like "don't open attachments from anyone you don't know", "never download free screensavers", and so on.

#65 ::: Christopher Davis ::: (view all by) ::: November 02, 2013, 09:38 PM:

CHip (#62): Frank Abagnale talked about using that scam in Catch Me If You Can, which was published in 1980 (well before American Gods).

#66 ::: Jim Macdonald ::: (view all by) ::: November 04, 2013, 05:23 PM:


From: "PayPal" <>
To: undisclosed-recipients:;
Subject: Notification Refund
Date sent: Mon, 4 Nov 2013 17:03:09 -0000
Send reply to: <>

Dear valued PayPal Customer,

Due to a policy update we need to verify your PayPal account. Please download the attached file , open it using your browser, fill in the required information and click update . Should you decide you do not wish to accept the verification process you can notify us before 08/11/2013 to close your account immediately without incurring any additional charges.

We do hope, however, that you continue to use PayPal and enjoy the following benefits: It's safer When you pay with PayPal your financial details are never shared with sellers or retailers, so you?e more protected against fraud. It's faster You don? have to type in your card details each time you pay, so you can check out faster online. You can also get eBay items delivered more quickly, as you can pay the seller instantly. It?'s easier PayPal is the preferred web payment method in the world because it? a smarter, savvier way to pay online in just a few clicks. All you need is your email address and a password.

Copyright © 1999-2013 PayPal. All rights reserved.


From: "Payroll Reports" <>


Subject: Payment Overdue - Please respond

Date sent: Mon, 4 Nov 2013 11:11:00 -0500

Please find attached payroll reports for the past months. Remit the new
payment by 11/10/2013 as outlines under our payment agreement.


Maxine Neal

This e-mail has been sent from an automated system. PLEASE DO NOT

CONFIDENTIAL NOTICE: The contents of this message, including any
attachments, are confidential and are intended solely for the use of the
person or entity to whom the message was addressed. If you are not the
intended recipient of this message, please be advised that any
dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify
the sender. Please also permanently delete all copies of the original
message and any attached documentation. Thank you.

Attached is "Payment" which contains "Payroll_Report-PaymentOverdue.exe"

MalwareBytes tells me that that executable contains something called Backdoor.Bot No chance in hell that I'll be running that one....

Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.