I received the oddest spearphishing attack the other day. At least, I’m pretty sure that’s what it was, though can’t be 100% positive. Here’s the correspondence, with the name changed slightly to protect the innocent (if she is innocent, which I highly doubt).
From: "Marina Mitropoulos (ABCTours)" <email@example.com> To: <firstname.lastname@example.org> Subject: urgent! Date: Thu, 25 Oct 2007 13:43:07 +0300 Dear Mr Fogel, I would like your help in a very serious matter. Recently, my boss received an unknown senders email referring to me and accusing me for many terrible things that are not true and my job place is in jeopardy right now. I need your help to find this persons Id or even the password of his email. I want to find out whoâ€™s this person that is trying to ruin my life. The email that this message came from is: email@example.com Will you please help me? Im waiting for your kind reply, Thank u Marina
Now, I didn’t read that original mail when it first arrived. When email from an unknown sender has the subject line “urgent!”, I don’t even consciously process it as spam anymore — a couple of neurons somewhere in my brainstem take care of hitting the Delete key, while I go on to read the next subject line in my inbox.
But then came another message from her:
From: "Marina Mitropoulos (ABCTours)" <firstname.lastname@example.org> To: <email@example.com> Subject: KNOTSPAM Hi, Karl, long time no see... Date: Thu, 25 Oct 2007 15:57:12 +0300 Dear Mr Fogel, [...the rest is the same as the original...]
Whoa. Only a human could have sent that, because it had the “KNOTSPAM” marker signifying that the sender has read my web page explaining how to send me email that won’t be mistaken for spam. So she was real, and she was trying to talk to me in particular.
(Note the “Hi, Karl, long time no see…” in the new subject line, by the way. This was a lie: as she later admitted, she was a complete stranger.)
Now somewhat intrigued, I replied:
From: Karl Fogel <firstname.lastname@example.org> To: "Marina Mitropoulos \(ABCTours\)" <email@example.com> Subject: Re: KNOTSPAM Hi, Karl, long time no see... Date: Fri, 26 Oct 2007 13:44:36 -0700 Do we know each other? What makes you think I can help with this? When I received your first mail, I assumed it was spam. But then I received your second mail, with the "KNOTSPAM" marking in the subject line, which means that you read my web page and figured out how to send me email. That was a surprise. But I don't recognize your name, and I have no record of ever having exchanged email with you before. If we are acquainted, I apologize -- I do not have a good memory for names. Who are you? -Karl
She replied a day or so later:
From: "Marina Mitropoulos (ABCTours)" <firstname.lastname@example.org> To: "Karl Fogel" <email@example.com> Subject: Re: KNOTSPAM Hi, Karl, long time no see... Date: Mon, 29 Oct 2007 10:20:58 +0200 Dear Karl, No, we do not know each other, I work for a travel agency in Greece, my name is Marina Mitropoulos and as I wrote you in my previous email I am in a jeopardy to lose my job because of some idiot that is trying to make me look very bad at my boss's eyes. Unfortunately, this person did a good job by sending all he/she wanted through a free account email from a foreigner provider. I donâ€™t know to whom to turn to find out the truth, Iâ€™m not interesting in to read his/her emails, I only want to find out from where (country/area) this account was opened and if there's any real name given, or if nothing of the above if I can at least read some of other emails and try to understand to whom it could belong to by the way of writing..(I hope you understand what Iâ€™m trying to say) I understand that this could sound a bit unorthodox to you, but If you can help me I would very much appreciate it. I have tried even with a private investigator but here in Greece things are not so easy to find out a thing like that as it is in united statesâ€¦ I have searched the internet for trying to find anything I can on my own, but Iâ€™m clueless with these things and I only end up paying some stupid site for promising me to find it and at the end they couldnâ€™t even find my work emails detailsâ€¦ anywayâ€¦ I deeply apologize if I caused you any kind trouble, it was not my intention, I only need help if you can please... If you wish to contact me here's my phone nr +306974301136 I thank you again even for reading this email and for responding to itâ€¦ I m waiting your response, Thank u again. Marina Mitropoulos
Hmmm, a phone number! Why, I remember when I couldn’t pry that out of a woman at a bar for all the charm in the world… and now they’re throwing them at me by email. I love the Internet! Just kidding. Here’s how I responded:
From: Karl Fogel <firstname.lastname@example.org> To: "Marina Mitropoulos \(ABCTours\)" <email@example.com> Subject: Re: KNOTSPAM Hi, Karl, long time no see... Date: Mon, 29 Oct 2007 10:25:37 -0700 I can't help with your problem. But I'm fascinated that you picked a complete stranger at random on the Internet to ask for help. That seems very, very odd. I don't think it's likely to solve your problem. Most strangers would be suspicious that maybe you have some other motivation. For example, if someone's telling lies about you on the Internet, then it's just as easily possible that you are telling lies about yourself: from an outsider's point of view, neither one is more likely than the other!
If she’s a spearphisher, she’s going out of her way to keep her cover. She stayed in character to reply:
From: "Marina Mitropoulos (ABCTours)" <firstname.lastname@example.org> To: "Karl Fogel" <email@example.com> Subject: Re: KNOTSPAM Hi, Karl, long time no see... Date: Tue, 30 Oct 2007 10:01:33 +0200 I see your point and I totally understand... and in this case there is no point for me to try convince you otherwise. Just informational, I dont have any motivation to get into this email and snoop around for fun, I need it to find out who is trying to hurt meâ€¦ and this action to â€œpicked up someone randomâ€ on the internet , it shows how really desperate I am to find out the truth. I thought you could do something to help, but I see now how silly it might seems to you all this and Im very sorry I disturbed you but I thank u deeply for even replying to my mail. Marina.
I have no idea what to think now (other than I love the Internet!, of course). Searching for her real name gets exactly one hit, on a web page at the same ostensible Greek travel agency as her email address. On the off chance that she’s telling the truth, I’ve changed her name, and that of the travel agency. But not her number: if you want to get in touch with her, go for it, and good luck!
Wow — that really is strange, to invest so much effort in such an odd line of attack.
This is indeed very interesting. Her English is at near native speaker level, as is her comprehension of your rather subtle reasoning. Yet the scheme is entirely transparent. If you were to go to the effort of directly spearphishing a mark, wouldn’t it be much more compelling to make the hook more plausible than “I’m appealing to random people on the internet?” Perhaps spinning a yarn about how the anonymous denunciation appears to have originated from your domain, or that your name and/or website was referenced in the accusation, or even that you had been recommended by a mutual friend as someone who could help. Very strange… keep us posted.
Iâ€™ve been seriously tempted to call, just to see where it leads (an all-expenses-paid tour of Greece?). But not from my own phone. From a pay phoneâ€¦ using a calling cardâ€¦ that I bought with cash.
Call her up. Have an adventure. What’s the worst that can happen? You end up dead in a ditch in Sardinia?
No, the worst thing that can happen is the Americanization of James Bond. Oh, wait, that’s already happened. Maybe I should call her!