Plenty more phish in the sea

Why are phishing gangs so dumb?

I received some phishing spam today, targeting HSBC Hong Kong customers. They did one thing right – they targeted .hk e-mail addresses. Pity I use a .com e-mail for my banking, really. But that’s not the dumbness, that’s just bad luck on the phishers’ part.

The dumbness takes two forms. Firstly, the English. Yes, I know they’re Russian. Or Chinese. Or at least, that English is not their native language. But how much would it cost them to employ an actual English speaker to proof-read their spam? Unemployment is over 2 million in the UK, so it wouldn’t be hard for them to find one! I mean, just take a look:

Subject: HSBC Hong Kong All advanced forum features are available;
Date: Tue, 17 Feb 2009 04:34:16 +0200
From: HSBC Hong Kong <manager@hsbc.com.hk>
To: me
HSBC Hong Kong:

New user interface features and a new user interface for the HSBC Hong
Kong Users, were designed in order to reduce the high cognitive and
physical load that users experience when controlling the HSBC Hong Kong.

These interface features, and the new interface, were evaluated for
their  performance. The following results were obtained.

Proceed to view details:

[URL removed for sanity]

Sincerely, Freida Porter. Customer Service Department.
Copyright hsbc.com, inc. All rights reserved.

Not very convincing, eh? Also, there’s no attempt to sell me a loan. I can’t remember the last time HSBC communicated with me and didn’t try to sell me a loan on the side.

So, a little investment in a suitably fluent proof-reader who can imitate real HSBC e-mails would have paid off here.

Dumbness number two is just plain incompetence. In order to circumvent spam filters, the spammers fire out multiple copies of almost the same message… with different subject lines and different, randomly-generated, names at the bottom (none of which were even vaguely Chinese, incidentally). I received fifteen or so in the space of an hour (all flagged as spam, so they failed there too). The sheer quantity should make even the most gullible pause and think: that’s weird.

Interestingly, the phishing web site linked from the e-mail was very well done, looked convincing, and had a trojanised “You need the latest Adobe Flash Player” download. It’s odd that the criminals should put so much effort into their web site and then waste it with a half-arsed e-mail campaign. (Strictly, this means it’s not phishing, which is an attempt to get a user name and password. HSBC’s synchronous authentication defeats keylogging, so the trojan is probably a man-in-the-middle attack that waits for the user to authenticate with HSBC and then patches the criminals into the session. I didn’t get time to download it to a virtual machine and try it out.)

It goes without saying that they’re only after a tiny number of victims, that they expect 99.9% of their e-mails to be ignored. And of course, their incompetence and laziness is a boon to those grey-area types out there who just might fall for a well-constructed phishing scam. But still, it pains me to see shoddy work, even when it’s crime!