How to Spot a Psychopath

Date: Sun, 4 Feb 2007 05:03:59 +0200
From: "GerX Man" <geremangere@gmail.com>
To: dan@dansdata.com
Subject: transfer status

Hi. This is a very serious business, so, relax into your chair and listen. Do you here something? No. Of course you don't. Or, if you do, close your window and read carefully. You want money. So do I. I will send you money through paypal but each time you will receive an ammount from me you will have to send me back half. Let me know if we have a deal. Now I'm sure you can hear something. The money sound. To see that I'm serious I will send you right now $50 into your account. This time you won't have to send me back half. You can do whatever you want. You can geld your dog, cat, (if you have one), you can buy some crack (if you're narcotic), you can buy a Hustler magazine (if you're obsessed)... it doesn't matter. I will wait for your email.

And then, lo and behold, I did indeed receive a $US50 PayPal donation, followed by another separate message from, uh, GerX.

The payment, however, was not from GerX, at least as far as I can see. It was from one "Alba Lugo", who has an AOL e-mail account.

Clearly, Alba Lugo and GerX are the same person, and this is all perfectly above board, and I should go along with it and become wealthy. What could possibly go wrong?!

(I've refunded the payment.)

PayPal seem to provide no way for me to complain about this. You can drill down in their Security section to a place where you can complain about fraudulent transactions made on your own account, but there doesn't seem to be a way to complain about scam artists sending you money from other people's accounts in the expectation that you'll send money back to their accounts and... oh, my head hurts.

(If I try entering the transaction number in the complain-about-a-fraudulent-transaction-on-your-account box, I get an error, because it's not a payment that I sent.)

I get e-mail newsletters from PayPal, who're bright enough to know that I'm in Australia and so should receive their specially pointless Aussie-flavoured newsletter.

Regrettably, they've now made a very serious, but quite common, mistake in these newsletters. They've made them look like phishing attempts.

Nearly every e-mail everyone in the world receives "from" PayPal is not, of course, from PayPal. It's from someone trying to send you to a PayPal-lookalike page and steal your account details. The second you see a non-PayPal URL in one of those messages, you know it's a scam, right?

Regrettably, PayPal have now retained the services of the unfathomable dimwits at "Tipping Point" here in Australia to produce newsletters that look like phishes. They're full of http://paypal.tippingpoint.com.au/... URLs, which just scream "Fake!":

Log in:
http://paypal.tippingpoint.com.au/emailer/emailer_ct.asp?eid=0&cid=57&lid=373

Security centre:
http://paypal.tippingpoint.com.au/emailer/emailer_ct.asp?eid=0&cid=57&lid=372

Help centre:
http://paypal.tippingpoint.com.au/emailer/emailer_ct.asp?eid=0&cid=57&lid=371

Password help:
http://paypal.tippingpoint.com.au/emailer/emailer_ct.asp?eid=0&cid=57&lid=370

Those URLs actually do redirect to PayPal's own servers, but for all you know they do it via some underhanded wizardry or other. They're exactly the kind of links we're all trying to teach our dads and aunties to stay the hell away from.

And then there are links like the "Take me shopping" one, which bounce through a PayPal server to somewhere else. In this case it's merchantoffers.com.au, which belongs to PayPal Australia, but once again smells far too phishy to modern noses.

Lots of other organisations have made this same mistake. But that's not an excuse. It makes repeating the mistake even worse.

Tipping Point, in case you were wondering, are apparently "An interactive marketing agency strategically focused to deliver business-effective digital solutions that "tip" online customers."

Thanks to verbiage like this, Tipping Point's home page wank factor is a respectable 5.34. Most companies have moved on from the kind of corporate cant that the 2000-vintage Wankometer detects, but Tipping Point appear to be waiting for it to come back into fashion. The questionable book they took their name from is the same age as the Wankometer, by the way.

I hope PayPal aren't paying Tipping Point the kind of money you used to get in 2000 for crap like this.

The latest product of what I presume to still be the SpamThru botnet is a cavalcade of come-ons for an alleged mine for alleged gold in alleged Africa.

They're piling up in news.admin.net-abuse.sightings already; I've had a couple of dozen of them, as usual all from different servers.

The same objection applies here as it did to the previous outbreaks - not many people are likely to find an offer more appealing if they get numerous copies of it with slight subject line variations.

This one differs in that it's promoting a Web site, rather than a penny stock. The site (for the "Land Resource Association LLC" - I just added that so Google searchers can find this page) looks more than scammy enough to actually want to be promoted in this way, so I doubt this is a Joe Job.

Apparently, they're pulling about $US360,000 worth of gold out of the ground a month, so obviously they, um, need investors to send them money, so that they can... hmm.

It's not even clear what country they're pretending to be mining in. Maybe Ghana. In that case, the amount of gold they claim to be digging up now equals the GDP per capita of something like 8400 Ghanaian citizens. That's a lot of labour and machinery buying power in a country with 20% unemployment.

But never mind that. Invest! Invest now! Don't miss out on your one chance in a lifetime to be ripped off by this particular scam!

More on the SpamThru botnet from eWeek. Don't miss the pretty pictures.

Slashdot discussion.

I've been getting huge quantities of almost identical pharmacy spams from numerous servers (Verizon, telefonica.es, home.nl, pppool.de... clearly a botnet at work, again) over the last couple of days.

The text of every one of them seems to be:

We want to present you a pharmacy bulletin dedicated to Christmas holidays!!!

We have researched different on-line pharmacy stores, which are based in United States and
sell men's health drugs such as Viagra, Cialis, Levitra, Propecia etc.

They get "excellent" rating grade and we strongly advise to use their service.

Viagra Professional - ($3.25 with Christmas discount)
Viagra Soft Tabs - ($3.28 with Christmas discount)
Cialis Soft Tabs - ($4.62 with Christmas discount)
Cialis - ($4.53 with Christmas discount)
Levitra - ($9.576 with Christmas discount)

Also we have such winners:

1. "Best Canadian on-line pharmacy store".
2. "Excellent" rating grade - "MyCanadianPharmacy" store.
3. "Best International on-line pharmacy store".
4. "Excellent" rating grade - "LegalRxMedications" store.

Sincerely yours,
American Consumer Association

So far, so unremarkable.

But every single one of these spams (well, all five that I just randomly checked) seems to be promoting a different URL for the exact same pharmacy.

There's ieeppt.rudver.net, ctbmgh.puriol.com, chfrmu.sviolnet.net, bfkang.histrayd.net and chnclm.aulferi.info in the five I checked, all of them tagged with affiliate-ish stuff like "http://ctbmgh.puriol.com/?88255812&men". They all currently lead to, I presume, the same physical server. But every one of them gets an "IP not found" error from SpamCop, so it discards them as fake URLs and doesn't even try to find who's responsible for them.

The plain non-subdomained versions of the URLs (www.rudver.net, www.puriol.com...) give you the same pharmacy site. SpamCop can't find an IP for them, either.

The domains all seem to be registered at Gandi.net, which seems to be a perfectly valid registrar that's presumably about to suspend them all. I hope Gandi didn't get paid with stolen credit cards.

I don't know what's going on with the un-look-uppable domains, though. This is a disturbing sign of competence from the botnet spammers, although they have once again hindered their message by repeating it far too many times.

Anyone got a clue about this?