Spam and phishing

You get what you deserve

Are you one of those people who’s always wondering what other people are talking about, or why the person in the cubicle next to you always takes certain phone calls in a whisper, or who your partner is sending emails to late at night? Call it curiosity, call it nosiness, call it paranoia: whatever you call it, there are plenty of people like this around.

Recently the bad guys showed us yet again how aware they are of human psychology, and how ready they are to exploit any and all human weaknesses.

This piece of Russian spam offers the curious, the nosy, or the paranoid the opportunity to read other people’s messages sent via Russian social networking sites, a range of web mail services, and ICQ. How? By brute-forcing their account passwords.The link in the message leads to a site which offers a “service for brute-forcing forgotten passwords”. Given that the email offers to “break into any account”, calling it a service is incongruous, to say the least.

The information on the site states that “forgotten” passwords will be brute-forced, starting from simple possible passwords (e.g. user name and password are the same, popular passwords such as “12345”, name + date of birth etc.) to more complex ones (e.g. dictionary attacks using English words – remember, this is a Russian service). Supposedly the process takes between 3 minutes and 10 days, depending on the complexity of the password, and the success rate is 80%. Of course, there’s no such thing as a free lunch these days, and in this case, the lunch has to be paid for by sending an SMS to a short (i.e. premium-pay) number.

The EULA isn’t very helpful (and who reads them anyway?); it doesn’t say how much the SMS will cost, but points to a support site. Open this, and there’s still no clear information about how much the SMS will cost – by default, the list of short numbers and how much a message to each numbers costs opens on a cheap number (a message costs 45 roubles or around $1.50). But SMS messages to activate the “forgotten password service” cost a lot more, around 300 roubles or $10.25). The information is there if you dig for it, but again, who’s going to take the trouble?

The EULA also says that “[this site] is a source of information which is entertaining in character. The information on this site is partly made up and should not be taken seriously.”

In other words, there’s no genuine service on offer here: send an SMS, 300 roubles go out of your account, and then you get the “forgotten” password belonging to whoever’s mailbox you’re scoping out. But it’s probably not going to be any good – you’re likely to get a standardized, simple password, and these days (hopefully!) most people have started moving away from the “qwerty123” type of password. Result: you’ve lost $10, you don’t get to satisfy your curiosity, but the scammers are going to make a tidy profit.

This whole story just goes to show that it’s not nice to read other people’s letters!

You get what you deserve

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox