Sunday, April 27, 2008

Is Anyone Stupid Enough to Fall for This?

 
I received this message today ...
Dear UTORONTO.CA Email Account Owner,

This message is from UTORONTO.CA messaging center1 to all UTORONTO.CA email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused UTORONTO.CA email account to create more space for new accounts.

To prevent your account from closing you will have to update it below so that we will know that it's a present used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username :

EMAIL Password :

Address :

Department :

Attention!!! Account owner that refuses to update his or her account within ten days of receiving this Notification will lose his or her account permanently.

Thank you for using UTORONTO.CA!

Notification Code:VX2G99AAJ

Sandra Jacobson
ONLINE SERVICES
My question is serious. Is there any data out there to suggest that scams2 like this actually succeed? Are there people who respond to these notices by sending off their email passwords?

Also, what's the purpose behind this attempt to get email passwords? What do they plan to do with them? Are they hoping that the email passwords will give them access to the user accounts or do they just like to read email messages?



1. The sender is "Online Services (onlineservices@utoronto.edu)." A domain that does not exist. The reply-to address is "dataguards@instructor.net." I've often wondered how these scams work. How do the perps get the replies if the return address is bogus?

2. It's easier to recognize that this is a bogus message because of the language—obviously not written by someone whose native language is English—but even if it was grammatically correct most people would know that it's a scam, right?

8 comments:

  1. A quick probe suggests that dataguards@instructor.net exists (right?) Presummably they field lots of trails until they find the 'one' with the rare 'gullibility' mutation. (you only need one or two). E-mails could reveal useful information. Moreover with many online transactions requiring e-mail addresses and with users who use one password who knows what else could be accesssed online. (Thus we have to fractionate the field of trails yet again; hence the greater the number of trails the better)

    I have received e-mails actually asking for bank account numbers that one reveals to web sites whose address is only to be seen in the underlying source HTML of the e-mail.

    If I was a perp I think I would want people to think that it doesn't work and prevent data getting out to the effect that it does!

    On the other hand perhaps your points hold up and it is the perps that are stupid!

    Now here's a thought: Does this have parallels with some types of religion? "If you don't login in now you may find yourself locked out of heaven".

    ReplyDelete
  2. My message actually did come from a utoronto.ca e-mail account (onlineservices@utoronto.ca) which gave it somewhat of an air of legitimacy. Sadly, I could actually see the success rate being relatively high (say 5% or maybe even more) because of it.

    ReplyDelete
  3. There is at least one person stupid enough to fall for something like this here at the University of Guelph.

    U of Guelph email accounts can not currently send email to Hotmail accounts, because somebody got ahold of at least one @uoguelph.ca email address with password and sent a large amount of SPAM through it, including to a number of Hotmail accounts. This caused the reputation of the U of Guelph email server to drop below some threshold, triggering a lock-out by Hotmail.

    So, to answer your questions:
    1. Yes, people of that level of stupidity do exist
    2. The point of getting email passwords is for sending, not receiving, large volumes of email

    ReplyDelete
  4. The point of getting email passwords is for sending, not receiving, large volumes of email

    ..so it's another kind of identity theft..

    ReplyDelete
  5. My question is serious. Is there any data out there to suggest that scams2 like this actually succeed? Are there people who respond to these notices by sending off their email passwords?

    Yup, it only takes one gullible sucker.

    Also, what's the purpose behind this attempt to get email passwords? What do they plan to do with them? Are they hoping that the email passwords will give them access to the user accounts or do they just like to read email messages?

    This happened a few weeks ago at a college with which I'm associated. What it did was give the phisher access to real institutional email address lists to use as spoofed return addresses on spam. *.edu email addresses are typically not rejected by spam filters so more spam with real *.edu return addresses get through to the intended victims. I'm now getting "undeliverable" messages from addresses I've never heard of -- my institutional email address (along with hundreds of others) is now being attached to spam messages.

    It's a hassle for the institution, because it can result in the institution being placed on a spam blacklist which many other institutions use to trash incoming email. It can take weeks for the institution to 'clear' its name.

    ReplyDelete
  6. LOL!

    We got that one too at my Uni! heh!

    ReplyDelete
  7. Hi Professor Moran,

    This is Reynold from IEEE U of T Student Branch. One of our account also received this phishing email today. I have already reported to IT. Unfortunately, some students do believe this email is legit.

    The phisher is obviously targeting many public emails - student branches, professors - as identity theft. We should definitely bring this up.

    I am even thinking about creating a bogus account and track their IP down.

    ReplyDelete