Wall Street phishers show how dangerous good syntax and a good pitch can be


I’ve always wondered why people doing phishing attempts don’t get a native English speaker to write for them. It can’t be that hard to find an unscrupulous US college grad who can write a convincing scam.

1 Like

How much we talking here…?


Yeah, I’ve got some free time, and I need money.


So much funner of an article when the hackers are punching up. And, while writing as convincing professionals, the attachment displayed does link to a script written in php, so wouldn’t pass the sniff test of a certain subset of the population…

Looking at the URL, it seems blatant that it’s a fishing attempt.
I think this further indicates my general stance is correct that people need training before hopping on the net. Not a crapton, but some basics of security. What a properly formed URL looks like (which could help eliminate a good chunk of phishing attempts), for example, would have done wonders to reduce the damage done by this vector.


See? Like shooting phish in a barrel. I should market myself as a scam-writer headhunter. Now all I need to do is find the scammers. What’s the website for this “dark web” I keep hearing about?


So, after nearly twenty years, the problem of macro viruses is still a thing. I… have no words.


This is weird – if you can hire competent writers to ghost-write your term papers,

Judging from the number of bought-and-paid-for term papers I’ve caught over the years, it might be harder than you think.


Right, but the text is good enough to distract you from the URL on two levels, even if you’re normally smart about what you click on.

First, it’s in standard business English. Everybody knows spammers and phishers sound like dadaist poetry run through Google Translate, which means everybody is vulnerable when suddenly it doesn’t.

But more importantly, notice the beautiful social engineering in the substance of the claim. Dear middle manager, I’m a client writing to inform you that an underling thinks you smell like poop. I’d like not to have to get your boss involved, so if you can give me a reason to think you’re on top of the situation… [[[click]]] That’s good stuff.

The trick here isn’t the malformed URL, it’s pushing the proper emotional buttons so deftly that “oh crap I’m gonna get fired” briefly overwhelms clicking discipline. Over the long term, a short con like this is going to net a certain number of marks, even if they’re well trained.


Good point.

I did notice the social engineering aspect and thought that was pretty good, not thinking I would be suckered into it…

I suppose since I wasn’t feeling attacked (and warned in advance) it’s easier for me to see the URL as a clue without jumping into self-defense mode.

In the real world, perhaps I would be a sucker. I’d hope not, but one never knows.

I’ve read that using poor English acts as a filter. You don’t want everyone to respond to your 419 scam, because only a few will be gullible enough to actually send you money. Using language that tips off smarter email users increases your hit rate. Besides, you’d have to split the profits with the translator if you’re not a native speaker.

But if your goal is to target a specific financial institution, rather than just catch some gullible fish in general, this scams shows it pays to get someone familiar with the norms of business email. Writing, “I am being head of Nigerian institution financial,” probably only works on people who aren’t real comfortable with written English themselves. Note that the punctuation and diction are not what you would see in an edited document, but are spot-on for an email from a college-educated person who isn’t being careful.


You like money too?


The gullible-people filter is useful if your intent is to string the victims along over multiple communications until they send you money - minimizing effort per payout.

But when what you want your victims to do is an immediate action - in a momentary lapse of judgement, type in their password at the wrong webpage, or open a virus-laden attachment - there is no additional effort expended per victim. A more convincing come-on email just gets you more infected computers to control, or more email accounts to mine for the information you wanted, or whatever.

So I understand why you’d want your Nigerian-prince or russian-looking-for-Western-spouse emails to have some level of hints that they’re fake, but I don’t see what you’d gain by having such badly constructed one-shot phishing messages.

Well, let’s get you signed up! Fill out your financial details in the form attached below, and you’ll get your first assignment in a couple of days. Thank you for your dedication to making phishing easier!


OK, I’ll PM you those details. I don’t want to post the information here because a lot of hackers read BoingBoing. I’m really looking forward to the opportunity to work with you on this.

1 Like

I don’t even understand the url at all.

Assuming the browser somehow choses to go the the redirect portion of the url (why would it?), that part, unescaped, is http:///forum/equities/375823902/article.php\par.

In neither case is there a TLD. Is this some IE thing?

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.