Would you let a spammer give you a root canal? Sure you would!

Filed Under: Featured, Privacy, Spam

Cybersecurity Awareness Week (CSAW) will take place in Australia, and then in New Zealand, at the back end of May 2013. Sophos is an enthusiastic supporter of CSAW events around the world, because security is the shared responsibility of us all. CSAWs are a fantastic opportunity to review some of the security issues that we're all so inured to that we barely think about them any more. Such as spam.

We're all used to spam; most of us get quite a lot of it; some of us are awash in it.

But even if we see only the occasional unsolicited message, one thing seems certain: as a sales and marketing tactic, it's not very convincing.

I mean to say, it's bad enough getting into one of those call centre message loops that says something like, "Your call is important to us. So important, in fact, that we have stuck you in a call centre message loop that says, 'Your call is important to us. So important, in fact, that we have stuck you in a call centre message loop. Please hold.' Please hold."

At least when you're in a queue to get into a queue to get voice support, you can fall back on the thought that you initiated the communication for reasons of your own.

But when someone contacts you entirely for their benefit, out of the blue, and pitches you a concept that is peculiar at best, and outright alarming at worst...

...you really do find yourself thinking, "Why? WHY? What can the sender POSSIBLY hope to get out of this?"

Old-school spam still works

Sometimes, you can work out why.

For example, a few years ago, fellow Naked Security writer Graham Cluley decided it would be a laugh to count up his earnings from just one week's worth of money-making spam that built up in his inbox while he was on vacation:

290,259,462 of your United States dollars, if you don't mind!

The "why" in this case, as Graham pointed out in his well-worth-reading article, is because this sort of spammer will occasionally hook someone who is vulnerable, and who can't tell the difference between a genuine windfall and a cold-hearted scam.

Such victims may then end up being bled for thousands of dollars, or even hundreds of thousands, in bogus administration fees, loans, travel expenses, bribes, protection money and more.

Phishing still works

The "why" is obvious in this example, too:

Here, the crooks want to try to defeat two-factor authentication (2FA).

(The RVN mentioned in the email stands for Random Verification Number, a one-time password used for sensitive transactions by the bank referred to in the email.)

Even if only a handful of people aren't thinking clearly, and click through to dispute the bogus transaction, the criminals will be able to make money that would otherwise have been denied to them.

That's because their victims will helpfully relay the RVNs that are there to make scamming harder.

Spam in a post-email world

But what about the dentistry example shown above?

That was comment spam, almost certainly generated by hand and submitted to Naked Security.

It really does link to an apparently-legitimate dentist with an apparently-legitimate site:

How could this ever work? Who would ever click through?

When the spammer reminded me that "there are some qualifications that might be handy when choosing a dentist," I asked myself what things I might expect of a dentist I'd just picked off the internet.

A passing familiarity with the physiology of the jaw, mouth, gums and teeth, perhaps? Some sort of official sanction by an accredited medical licensing agency? No chronic dependency on the sort of habit-forming substances a dentist might have ready access to?


Keeping your own nose clean

So, as the antipodal Cybersecurity Awareness Weeks approach, keep in mind that cybersecurity isn't just about avoiding the bad stuff that crooked online operators fling at you.

Make sure you don't get into bed with electronic marketing companies that are involved in flinging unwanted or untrustworthy communications at other people.

That would make you into part of the problem.

If you don't have experience in social media, forum participation and other post-email ways of engaging people online, it's tempting to leave it to someone else, especially if they offer to let you pay on results.

That sounds like a no-risk deal, since if they do a worthless job, the job will be worthless, and you'll pay nothing.

But by outsourcing their on-line activities to an overseas boiler-room, and planning to making up for modest performance with unrelenting volume, dodgy e-marketing outfits could end up costing you dearly, since it's your reputation visibly on the line, not theirs.

So, if you do outsource your social media and similar online activities, keep an eye on what is being said in your stead.

Firstly, this will help you learn your way around the post-email online whirl; secondly, it will give you early warning if you're being promoted unethically or unprofessionally online.

And if that happens, simply pull the plug: you'll help yourself, and everyone else.

, , , , ,

You might like

12 Responses to Would you let a spammer give you a root canal? Sure you would!

  1. The_J · 854 days ago

    At least only a dentist.
    In our forum I've seen comment spam about plumbing, wedding dresses, real estate sales, pets, funerals and whatsoever.

    • Paul Ducklin · 853 days ago

      As we are a site called "Naked Security," we get offered a fair bit more than dentistry, too :-)

      What hasn't happened yet (and I was rather hoping it would, to add a sort of Alice in Wonderland weirdness to the whole thing) is a dentistry spam comment *to this article*, which is at least tangentially about dentistry...or perhaps some of your plumbing spam, since I said 'pull the plug" at one point.

  2. Is this done to increase Google PageRank and other such mesaures rather than (or as well as) for direct hits? Some of the ones I get in forums and blogs are utterly irrelevant to the forum/blog. However I do see many forums/blogs where such spamments are published so it could possibly help PageRank.

    When searching online for a local dentist you will not know the use of such techniques is the reason why a given dentist appears before others.

  3. Richard · 854 days ago

    "Who would ever click through?"

    How do you know where it linked to if you *didn't* click through?!

  4. Spellchecker · 853 days ago

    "antipodal" is spelled without an "e"

    • Paul Ducklin · 853 days ago

      According to my British and my American dictionaries...

      ...you are quite right!

      With no alternatives offered in either flavour of the language (unlike judgment/judgement or usable/useable).

      Thanks. I've corrected it.

  5. MikeP_UK · 853 days ago

    Plus the now commonplace bad grammar: "...Qualifications that will can't be ignored..."
    That alone should make you stop and think this is spam. If it isn't correct spelling and correct grammar for the country of origin (UK and US rules have differences) then it is almost certainly spam or else it is something you don'#t want to get involved with.

    • Paul Ducklin · 853 days ago

      The strange discord in subject matter is a bit of a giveaway, too...that "dentistry" spam was in reply to an article about keeping telemarketers under control.

      As though a forum spammer, ploughing through his daily target of 30,000 forum comments at $1 per 10,000, got his URL/subject matter lists out of alignment :-)

  6. Mike Matloff · 853 days ago

    Hi Paul,

    In reference to e-marketing spam, it can even be worse than what you mention above: Some of these e-marketers host and spread malware (presumably inadvertently) , so that if you receive an e-mail from them (e.g., a newsletter you signed up for from a company that uses them for marketing) you may well end up downloading malware.

    It is for that reason that I feel that companies who use e-marketers for their marketing campaigns (customer contact, newsletters, bulletins, press releases, etc.) should INSIST that all links in said campaigns point to THEIR servers, not the e-marketers'. After all, if I get infected by an e-mail on behalf of "ABC Widgets Incorporated," it'll be little consolation to me (the customer) to know the infection actually came from "XYZ Marketing." In most customers' minds, ABC Widgets will be held responsible for the violation, and rightfully so.

    I explain this point in more detail in my security paper titled, "How to Stay Safe on the Bleeping Internet":


  7. Roger · 853 days ago

    'Discord' doesn't have an aitch either, Paul!

    • Paul Ducklin · 853 days ago

      So it doesn't. I thought it looked wrong. I wouldn't have written "conchord", for example, except in the context of "Flight of The...", but, hey, it's a chord that sounds wrong, so the "h" found its way in there.

      Fixed, thanks.

      (If you blow notes on two Strombus shells at the same time, but it doesn't sound good, is that a "conch chord discord"?)

  8. Roger · 853 days ago

    Regarding your double on the Strombus shells, If I may borrow a line from Danny Kaye, "It's an ill wind that nobody blows good". (From 'Tubby the Tuba', I think.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog