February 2010 Archives

In the natural world, numerous species use mimicry — counterfeiting the appearance of another species or object — to hide from or deter predators. A smaller number are themselves predators, and use mimicry not for defense, but as a way to get closer to their prey. One of the most remarkable of these aggressive mimics is a small fish called the sabre-toothed blenny, which mimics another fish, the bluestreak cleaner wrasse. The wrasse enjoys a mutualist relationship with some larger fishes: it 'cleans' the bigger fish by eating parasites and dead tissue, something that benefits both parties. The big fish recognize the wrasse by its appearance, and by the 'dance' that it performs as it approaches.

The blenny closely resembles the wrasse and even duplicates the wrasse's distinctive dance. The fish that mistakes a blenny for a wrasse is in for a nasty surprise, however. Instead of virtuously cleaning up its unwary victim, the blenny will simply bite off a chunk of flesh and then take off at high speed.

There's a fairly substantial phishing run going on at the moment, aimed at capturing Blogger or Google account credentials. The messages have the subject line 'Your Blogger Account' and a brief message urging recipients to click a link to 'update' their account. Recipients who click the link will be prompted to enter their Blogger or Google credentials.

An interesting feature of the run is that the phishers seem to have mass-registered a block of domains in the '.kr', 'or.kr', '.co.kr' and '.ne,kr' spaces. The actual domains registered all begin with the letters 'esu', followed by a single character, and then the top-level or second-level extensions. The phishers then create subdomains of those domains that are designed to look superficially like Google domains. Some examples include:

• www.google.com.esub.kr
• www.google.com.esuk.or.kr
• www.google.com.esut.co.kr
• www.blogger.com.esut.kr
• www.blogger.com.esug.or.kr

These domains are hosted on what appear to be botnet hosts: a host lookup for any of the domains returns a list of 15 or 16 IP addresses, scattered all over the Internet.

It isn't clear why the phishers have chosen to generate names that follow such a predictable pattern, making filtering the abusive messages trivial. Moreover, most of the domains used are now flagged by Google as probable phishing sites.

Scam Detectives has published a three-part interview with a former 419 scammer. "John", who claims to be a repentant scammer, describes 419 as an organized criminal activity with a hierarchy of roles. Initial contact with potential victims is made by 'foot soldiers'; once the victim shows interest, the contact is handed off to a more senior member of the gang with better language skills. "John" also reveals that the gangs also engage in other kind of fraud, including phishing and black money scams.

One persistent type of spam-advertised Internet scam is the so-called 'Russian bride' scam. The basic form is simple: the scammer sends out messages that claim to come from lovelorn young Russian women seeking romantic partners in the West. 'Elena' (or 'Katerina' or 'Natasha') paints a picture of herself in broken English as a sweet, sensitive (but sexy) young girl who is disappointed with Russian men and hopes to find her true love elsewhere. 'She' explains that she "saw your profile on that dating site", or got your email address from a friend. The messages typically include a picture, and a contact email address where potential suitors can contact the sweet young innocent.