On a quiet Sunday here at SophosLabs, I was looking through our spam systems and noticed an interesting campaign.
The email arrives with the message body along the lines of the following:
hey cutie, are you stilll single? this is lydia from the other night...
sorry but, i lost your number the other night and the only way i know how to get back in touch with you is through this email....
here is a link to my page http://XXXXXXXXXXX.com
viewing my page is free (plus im usually online)
catch ya later bby
Hmm, that sounds interesting, I don't remember this Lydia but she sounds like a nice girl, I wonder what she's up to. So I click the link:
Look at that! A personal message for me from someone called Jen from Rietberg, Germany. Why that's where I'm from! Or rather, that's where the ip address of the Tor exit node I'm browsing through is. And there are 4,129 users from my area online!
Well, this all sounds good. I'm always up for chatting with "Safe Girls". But wait a minute, they seem to want me to give them my credit card details, even though "you will not be charged."
I might just investigate a little further before I start handing over the crown jewels, even to "the safest girls on the internet."
That's a bit strange. This domain was only registered this morning, and in China of all places, and after digging around a bit more, there are lots more messages arriving on our spamtraps with different domains that all have the same registration details.
Maybe these girls aren't quite so safe after all.
Oh well, I should have known really.