Comments on: Deliberate typos in phishing scams?

Question: Deliberate typos in phishing scams?

PinkStainlessTail — Tue, 13 Dec 2005 09:43:43 -0800

Why do phishing scam e-mails always seem to have at least one very obvious typo?

even when one of these things is well written (like by someone who may actually be a native english speaker) there's always one, often quite a big one. For instance, the most recent message I've received has "Please note that this suspension does not relieve you of your agreed-upon obligation to !pay any fees you may owe to eBay." !pay looks like a hard mistake to make and an easy one to catch before sending, particularly when the scammer has taken the time to write a semi-plausible e-mail with a masked url, etc. Is there some scammer lore that says if there's an obvious typo, they can't arrest you or something?

By: Optamystic

Optamystic — Tue, 13 Dec 2005 09:45:25 -0800

It's a ploy used to defeat spam filters, which look for specific words such as "Viagra", "Free", "Rolex" etc..

By: knave

knave — Tue, 13 Dec 2005 09:45:43 -0800

To get past spam filters which are based on keywords.

By: knave

knave — Tue, 13 Dec 2005 09:46:08 -0800

Now that's a jynx.

By: pmbuko

pmbuko — Tue, 13 Dec 2005 09:47:03 -0800

I doubt it has anything to do with legal loopholes. Perhaps the persons doing the phishing are so brainless that they have to leave a signature of some sort so they themselves don't fall prey to it?

By: PinkStainlessTail

PinkStainlessTail — Tue, 13 Dec 2005 09:49:54 -0800

Thanks, but "v1agrra, r0lexx,"etc. are not the kind of thing I'm asking about.

By: thanotopsis

thanotopsis — Tue, 13 Dec 2005 09:59:59 -0800

Thanks, but "v1agrra, r0lexx,"etc. are not the kind of thing I'm asking about.

Certainly, but Optamystic and knave certainly have good guesses: You said it yourself, they're otherwise grammatically correct letters. The logical explanation is that the typo is purposeful. The question then is: To what purpose?

By: blue mustard

blue mustard — Tue, 13 Dec 2005 10:01:17 -0800

I wonder if it's an attempt to fool spam blockers at ISPs that reject large numbers of identical messages. If the exlamation point was changed or moved for each recipient, then each email would be "unique," perhaps helping it get through the filters.

By: cyphill

cyphill — Tue, 13 Dec 2005 10:42:44 -0800

I just recently received a phishing email that spelled the word "chance" "chanse". I seriously doubt that they misspelled that to get around filters.

By: curiousleo

curiousleo — Tue, 13 Dec 2005 10:50:34 -0800

I also second that it is to fool the spam blockers...
But they are still very dumb people.. I had a scammer who pretended to be interested in buying my used car who kept replying to my messages with purposeful typos... like "I will send you $10000 cas hier's che ck for your $6000 car if you would refund me $4000 when you sh ip your car to me" Even though I was also pretending to be interested in selling the car and kept replying, he would still do the typo thing.

I sold two cars through autotrader.com and every time I had at least two scammers trying to do same thing to me.. My friend had exact same scammer when he was selling his car so I knew what I was getting into...

During the weekend when I had free time, I gave both scammers' email address to eachother and told them to talk to eachother and I will sell the car to highest bid...

it was the funniest thing I ever saw.. they actually pretended to eachother all in typos again... During about an hour or so, I sent both scammers some garbage attachement files to fill up their fake free email accounts...(i wanted to get it back to them some how... or at least waste their time...)

These were persistant scammers who would talk to you for more than few days and few dozen emails to get you to fall for their scams...

Maybe I should have contacted police or something.. but If this type of thing happens so often, why could they track them when a guy comes to my front door to pick up my car and give me the fake over-amount check.

Couldn't cops trace back to the scammer fairly easily when scammers are about to receive the payoff...?

All scammers are trying to get payoffs some how... and at these modern days, I can't believe everyone can not be traced back... AD spams I can understand.. but outright fraud scammers should be hunted down...

I almost wanted to give the scammer my local police dept address and have the shipper come to the station... the shipper probably don't know what is going on but at least the cops can be aware of the situation and hoply do something about it.

It was going to be simple "I second that" but sorry I started to get emotional...

By: Plutor

Plutor — Tue, 13 Dec 2005 10:50:40 -0800

cyphill: "I just recently received a phishing email that spelled the word "chance" "chanse". I seriously doubt that they misspelled that to get around filters."

Many spam filters use a huge number of little rules to decide if something's spam. A certain phrase or a couple words used near each other is more likely to be spam than not, so the filter adds a fraction of a "maybe spam" point to that email. If the number of points exceeds some limit, it's spam.

"Chance" seems like a perfect word to misspell. A non-trivial number of spams probably talk about "chance to win" or some such, so I wouldn't be surprised if that word (or the phrase) had value to a Bayesian filter. The same with "pay".

By: Falconetti

Falconetti — Tue, 13 Dec 2005 12:18:09 -0800

These were persistant scammers

And why should we believe you, hmm? :)

By: waldo

waldo — Tue, 13 Dec 2005 12:29:34 -0800

I think the bang ("!") in your e-mail is simply an artifact of exploiting an e-mail form in order to broadcast the message. Some forms being handled via some languages (data posted to a poorly-written [eg, mine] PHP e-mail handler, for instance) will force wrap lines that are too long, marking that wrap with a bang.

By: curiousleo

curiousleo — Tue, 13 Dec 2005 12:50:14 -0800

Falconetti... :-) persistent

You are right... why should anyone believe anonymous messages...

But these few supposely potential sales transactions got me thinking...

These weren't dollar scammers, these were few thousand dollar scammers... what if i was older person or people who are not yet savvy internet user like my well educated friend who was approached (who actually was going to go through with this before I stopped him).

How large of problem with this?
Does this happen everytime a person puts ad like mine?
So far it has happend everytime my friend and I put our ads... (although it was only three times...)

Are there an official task force like "internet sex police" regarding these scammers?

By: cyphill

cyphill — Tue, 13 Dec 2005 13:21:28 -0800

Sorry, I misquoted the email. The actual phrase was "If you choose to ignore our request, you leave us no choise but to temporaly suspend your account". So they actually misspelled a couple of words.

By: SashaPT

SashaPT — Tue, 13 Dec 2005 14:09:16 -0800

I've always gotten the impression that the people writing the emails aren't native speakers of English - the grammar is always a little bit off in addition to the spelling, like they're using a computer translation.

By: Aknaton

Aknaton — Tue, 13 Dec 2005 14:28:41 -0800

Just as with encyclopedias: these "mistakes" are copyright traps, in that when other phishers duplicate their approach, the first will have grounds for a lawsuit. No?

By: 4easypayments

4easypayments — Tue, 13 Dec 2005 15:06:26 -0800

Some spam blockers (especially one's that rely on collaborative human identification) compare incoming messages to previously identified spam messages (hashes, usually). It's possible that the typos are inserted in unique combinations by the mass-mailing program to create slightly different, but still readable versions of the message, bypassing detection by comparison.

By: skallas

skallas — Tue, 13 Dec 2005 15:14:48 -0800

I'll second the hashes explanation. It would be interesting to see if someone you know (outside your email domain) got the same spam and if they have "!pay" in the same place. A smart spammer would dynamically alter every message so your friend's spam might have "pay" but "!ebay" instead, thus creating a completely different hash.

By: altolinguistic

altolinguistic — Tue, 13 Dec 2005 15:57:06 -0800

SashaPT - a computer translation wouldn't introduce spelling errors, unless the errors were there in the original and by some fluke the word was the same in both languages.

By: junesix

junesix — Tue, 13 Dec 2005 18:47:40 -0800

4easypayments got it.

The use of spelling and content variants in the message is specifically designed to defeat collaborative distributed hash databases. Vipul's Razor, Pyzor, and DCC are among the public databases and large spam filtering service firms have their own private hash databases for their clients.