Nothing to do with mobile security, but today, I received a really funny phishing message. First, the topic was ambiguous enough to fool two spam filters, and to get me to open it. Then, the message itself was interesting:
Dear Mr/Mrs,
The “AMS Group Co.”, an international advertising agency, is looking for full-time company representatives all
over the USA.[…]
Position requirements:
- Undergraduate degree required;
- Credit score not less then 650 (Will be checked through credit bureau);
- Computer knowledge of order processing;
- Skills in marketing activities, sales and promotion;
I really love the credit score requirement. These phishers are smart: if they are going to fool somebody, that person better have good credit. Maybe that this is common in phishing messages, but it is the first time that I see that requirement.
Now that I think of it, phishing has something to do with mobile security. In France, we are starting to see more and more SMS spam that basically tell us “You have won a wonderful prize! Call 08 97 xx xx xx to claim it”. Of course, this is an expensive premium number. These phishers will not empty your bank account, but I am quite sure that their success rate is much higher than the guys who sent me the e-mail above.
Mobile phishers are indeed quite smart. Last year, still in France, some guy called a lot of people, supposedly from a premium number, and just let the phone ring once (to make sure that nobody could get the call). Of course, anybody calling back lost a little bit of money. The guy finally got caught, but it has been quite difficult to charge him, because what he did is not clearly illegal.
The main difference between mobile phishing and traditional Internet phishing is that each individual gain is rather small, but the return rate is higher. It does not mean that mobile phishers are smarter, but simply that there are schemes that allow a phisher to steal small amounts of money from a lot of people.
This has a strong advantage: few people will bother to file formal complaints for a 1€ loss. On the other hand, it has some drawbacks: most of these billing systems are handled by an aggregator who will count the number of connections to a premium number, and then pay a fee to the service provider associated to that number. If this aggregator (often linked to mobile operators) has the feeling that the service is actually fueled by phishing, they may be tempted not to release the money, and possibly to sue the service provider for some kind of breach of contract.
In the end, it is still a hard world for phishers.
No Comments