Tuesday, April 20, 2010

Microspam and the Stuck-in-London Scam

If you get a frantic e-mail message from someone you know saying they got robbed and are stuck in London without phone or money, it’s a fake. It is a new trend in e-mail spam, which I have dubbed microspam because it breaks what we imagined to be one of the most basic rules of e-mail spam. That rule is that the objective of e-mail spam is to send the same message to as many e-mail accounts as possible. Microspam messages are apparently sent to just one e-mail account. We are used to looking for signs of mass indiscriminate distribution of spam messages, so the new form of spam is throwing people off.

I first learned of the stuck-in-London scam on April 14 when the clueless administrators of an e-mail group revoked the membership of one of the victims of this scheme. As I read the story about one group member receiving a stuck-in-London message from another group member, and the person apparently sending the message being permanently banned from the group, my immediate thought was, “How do I know I’m not the person who has just been banned?” An e-mail message can appear to come from anywhere, even from my e-mail account, so I might have just been banned because of something I had no information about.

Since then, I have come across two other instances of the stuck-in-London scam, and I’ve heard a bit of hearsay from friends, enough for me to piece together, with only a slight degree of confidence, the bare outlines of the scheme: A criminal group has gained access to a large number of e-mail accounts, possibly all on Google. A bot is breaking into individual accounts to send messages. In a compromised account, the bot sends apparently a single unique message (the text assembled by machine to make it unique) to a single e-mail address of a person who has previously sent messages to the e-mail account owner. So it’s a spam message, but only one copy of the message is being sent. My assumption is that the bot continues to access the e-mail account in order to intercept any message sent in response, which would then be read and responded to by an actual criminal person. For me to have heard about this pattern almost once per day means that several million of these messages must already have been sent.

This scenario, of course, raises more questions than answers. Are all the compromised accounts on Google? Is the account data the criminals are using derived from the information criminal organizations affiliated with the Chinese central government obtained when they broke into Google’s servers in January? Are they using account passwords, or have they compromised the security of the e-mail server or the e-mail network?

Stolen passwords could be involved, so it seems a sensible precaution for anyone who has a Google account (whether using Gmail or not) and is using the same password that they had in January, to select a new password. (It is a good practice to periodically change any password that you depend on even if there is no indication that anything is wrong.)

The other immediate suggestion I have is that we have to change our way of thinking about spam. We have gotten reasonably good at blocking out the scattershot form of spam, but equally harmful spam e-mail can also arrive in the form of a single message, sent only to you, that appears to come from someone you know. The fact that a message was sent only to one person should not, any longer, lend the message any credibility.

There is a reason that the microspam messages of the stuck-in-London scam are all frantic in tone. The jolting rhythms of a frantic writer are not that hard for a text-generating computer program to imitate.

But that too will change. Soon, with no advance warning, it will be possible for spam bots to start to imitate our individual writing styles, social behavior, and moods. This means it is simply no longer safe to act on information you receive in e-mail, however convincing it looks, without verifying the information in a more secure medium such as a social network, a known web site, or a voice conversation.

For the record, in case any of these messages appear to come from me, I am not stuck in London, and I don’t want you to wire me money. Please be skeptical of e-mail messages, even if they appear to come from someone you know. Your private e-mail account is scarcely more secure than a bulletin board in a hallway. The fact that people don’t mess with it all the time doesn’t mean it can be trusted. Don’t be misled, if you can help it, by the criminal element out there.

If you have a Google account, Charles Arthur at guardian.co.uk describes how to check account activity in Gmail. Please take a moment to check.