Elementary Gmail phishing

Filed Under: Phishing, Spam

Gmail logoCybercriminals are regularly presented as twisted geniuses by the popular media, beavering away in dank basements constructing the latest malware to mess up critical national infrastructure or honing code to break into bank accounts and steal millions.

The truth is, of course, often somewhat less dramatic. The simple truth is that you don't need to build a sophisticated attack to trick the typical computer users into clicking on a dangerous link or attachment. You just need to dress it up as something alluring (a naked video of Natalie Portman or a bill for an air ticket you never purchased would probably do the job, for instance)

And sometimes, you just need to ask users a question with a straight enough face. If you're bold and brazen enough, you might just get away with it.

Take this elementary phishing attack that was seen by a Naked Security reader late last week, for instance.

Gmail phishing email

Yes, there are typos and inconsistencies in the way that words are spelt in the email, and anyone who pauses to breathe before responding hopefully realises that the one thing Gmail should be able to tell is whether your email account is active or not.. All they have to do is see when you last logged in or read an email, right?

But there will be a small percentage of the public, perhaps those who are not as IT-savvy, who might worry that they will lose access to their precious Gmail account and respond without thinking.

It's easy to say that people who fall for an elementary phishing attack like this deserve everything they get, but I find that opinion rather hard-hearted. We should all ensure that friends and family who might be vulnerable - even to unsophisticated attacks like this - are briefed about the threats and helped to avoid them.

, ,

You might like

20 Responses to Elementary Gmail phishing

  1. Alan · 1359 days ago

    "typos and inconsistencies"? Just wondering if the spelling errors and murderous use of the English language in the article were meant to reinforce how elementary the Email was.

    If'n y'aint meanin' to then all y'alls in desperate need of a prufe reader. ;)

    spelt? spelled
    pauses to breath? breathe
    realises? realizes

    (Not to mention that horrific run-on sentence).

    I appreciate what Sophos does to keep us aware of the threats out there but for a professional company, you really need to be more careful of the English language.

  2. Funny response Alan, but I can't agree with all of your points.

    "to breath" vs "to breathe". You're right. My mistake. I'll fix. Thanks!

    "spelt" versus "spelled". "Spelt" is commonly used in the UK. I'm guessing you're not British if you find it uncomfortable. Rather like I feel rather ill if I hear or see the word "gotten".

    "realises" versus "realizes". I'm English, and we are typically spell it "realises" over this side of the pond.

    Here's some further reading here on the differences between American English and English English: http://grammartips.homestead.com/british.html and you can see a good summary of the -ise/-ize issue here: http://www.worldwidewords.org/qa/qa-ise1.htm

    I rather like that language is dynamic - makes for a more interesting world.

    • Alan · 1359 days ago

      Eating some crow here. I keep forgetting y'alls from across the pond. My mistake.

      While I majored in the US form of English and I really need to brush up on my British form. Again, mea culpa and thanks for the links.

      • Mrs. W · 1358 days ago

        I dearly hope you're a Southerner who's just trying to be precious, else you owe additional apologies.

      • Chester Wisniewski · 1358 days ago

        HI Alan, don't forget, we're global. :)

        I am an American living in Canada and Naked Security's Paul Ducklin is British via South Africa and now Australian. We kind of have the English bases covered.

        Working for a British company and living in Canada has provided me with a strange view of English. If you want the equivalent of Franglish in a melange of English, try Canadian.

  3. I much prefer to take the "lack of knowledge deserves education, not humiliation", leaving the latter as an option for those who demonstrate the trail of Defiant Cluelessness. Oh, and since I happen to own the domain for the [former] MMF Hall of Humiliation, I am totally behind the concept of "eliminating online scams... or at least laughing at them, mercilessly."

    ~EdT.

  4. Rob · 1359 days ago

    Judging by the signature, it was written by a Jamaican stereotype!

  5. Jane · 1359 days ago

    Spelt may be commonly used in the UK but its use is incorrect (I'm British). Spelt is a type of rye.

    I wholeheartedly agree with you on the spelling of realises!

    • Hey Jane

      There's plenty of folks on the net who say that "spelt" is perfectly okay as the past participle of spell in British English.

      For instance, http://esl.about.com/od/toeflieltscambridge/a/dif...

      and from the Oxford Dictionary itself: http://oxforddictionaries.com/definition/spelt?rs...

      And I agree with them!

      And yes, in the Cluley household we're all too aware of how spelt can also refer to a type of grain as my wife gets very grouchy in the vicinity of wheat..

      • Jane · 1359 days ago

        Of course you agree with them, they back up your case :D

        I used to regularly use 'spelt' but have been picked up on it (by foreigners!) and checked my dictionaries (I don't rely on on-line sources as they are often American and not relevant to English (British?) English) and my humble, single volume dictionaries don't support the use of 'spelt' as the past participle of spell so I stopped using it!

        I must say I find it amusing that someone would pick up on the spelling variant of s and z - a very common variant between US and UK versions of our noble language.

        • The article at http://grammartips.homestead.com/british.html has this to say about why Americans tend to be unaware of the differences in UK English, while Brits tend not to be overly concerned in the opposite direction:

          =-=-=-=
          "You would think that Americans would be familiar enough with British texts to realize that such differences do exist, and that when our friends in England, Australia, New Zealand--or in India, for that matter--follow the rules of usage that are appropriate to their own countries, they are not committing errors.

          "People trained according to British usage seldom try to correct Americans for following American rules of usage. If the differences between the two systems even come up at all, they are likely to refer to such differences in terms of a question--something along the lines of, 'Is that how it is done in America?' But usually the issue doesn't even arise, because they read books, papers, and magazines printed in the United States, and they are well aware of the differences.

          "But for some reason, many Americans are oblivious to the fact that such differences exist, and when they stumble across something written according to the British system of usage, their immediate reaction is that the writer has screwed up and needs to be corrected."
          =-=-=-=

          Hmm. We're in danger of both entering dangerous territory and going seriously off-topic. :)

          • Alan · 1359 days ago

            To Quote: "But for some reason, many Americans are oblivious to the fact that such differences exist, and when they stumble across something written according to the British system of usage, their immediate reaction is that the writer has screwed up and needs to be corrected."

            That is because we know we are right :D and the rest of the world needs to get with the programme (or program whichever). :D

            It is very interesting and I have (case in point) been guilty of it all too often. I think that the main reason is that we tend to forget that the world is a whole lot larger than "the States" and our surrounding neighbors. We tend to think that we are dealing with someone in the States every time we converse in the English language. Too often we just assume and that is never a good thing. ;)

            I offer, on the behalf of our too conceited nation, my humble apologies.

            • George · 1358 days ago

              Somehow the point of the original message got lost! Hey ho.

      • elrond · 1359 days ago

        about this Oxford Dictionary reference... I am looking it up in my Oxford Dictionary which I got down from the shelf and I don't see an entry for spelt as a past or past participle of spell. Anybody else find it in their hard copy Oxford Dictionary?

        I think this side topic is wonderful.

        • Alan · 1359 days ago

          Went and looked it up online.

          spelt 2 (splt)
          v.
          A past tense and a past participle of spell1.

          The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights reserved.

          THE AMERICAN HERITAGE DICTIONARY of all places. ROFLMAO

          • Andrew Ludgate · 1359 days ago

            If you look at spel/spelled/spelt from a linguistic point of view, you'll realise that "spelt" is only following standard grammatical convention (and is not an idiom) if you speel instead of spell. Consider feel->felt, fool->fooled (wait a sec...) peel ->pelt (er...)

            OK then, let's do it the other way. Spell is to spelt as fell is to felt, tell is to telt, sell is to selt.

            I think we'll have to agree that this is an idiomaticised verb, and leave it at that.

            Of course, having studied the formation of the English language, I could just say that we're just reverting to pre-17th century English as the masses (including the editors of the OED and the *KJV) abandon the King James Bible and the OED as canon.

            (as an aside, I have to say that the American (mis)use of Zed and the British butchery of words like spelled both grate on me like fingers on a chalkboard. Guess that's what comes from living in the colonies, eh?)

            • Paul Ducklin · 1359 days ago

              The funny thing is that at a lexical level - if my terminology is correct - there isn't a single spelling mistake in the phishing email. It would pass muster with the average spelling checker. Indeed, perhaps it did.

              (Lest anyone should panic, "pas" _is_ an English word, meaning "a dance step". French uses the same word, shamelessly borrowed from English along with many other loan words including: facade, demitasse, mille-feuille, metre and cricket.)

  6. holli gramm · 1359 days ago

    I would like some input on the topic of "ZuckMail". I keep getting emails from a message source showing zuckmail in the address...and the message subject claims someone I don't know is commenting on something I never posted...

    • My suggestion: don't click any links, or open any attachments, that are contained in such "ZuckMails". My guess is they (the messages) are either phishing or malware attacks.

      ~EdT.

  7. Buia · 1358 days ago

    This reminds me of my favorite "brazen" scam: a simple web advertisement asking "Has your credit card number been stolen? Find out!", followed by a little text area to type in your CC number.

    I guess then you'd know for sure...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.