In the natural world, numerous species use mimicry — counterfeiting the appearance of another species or object — to hide from or deter predators. A smaller number are themselves predators, and use mimicry not for defense, but as a way to get closer to their prey. One of the most remarkable of these aggressive mimics is a small fish called the sabre-toothed blenny, which mimics another fish, the bluestreak cleaner wrasse. The wrasse enjoys a mutualist relationship with some larger fishes: it 'cleans' the bigger fish by eating parasites and dead tissue, something that benefits both parties. The big fish recognize the wrasse by its appearance, and by the 'dance' that it performs as it approaches.

The blenny closely resembles the wrasse and even duplicates the wrasse's distinctive dance. The fish that mistakes a blenny for a wrasse is in for a nasty surprise, however. Instead of virtuously cleaning up its unwary victim, the blenny will simply bite off a chunk of flesh and then take off at high speed.

Spammers practice aggressive mimicry as well. By using faked email addresses, compromised hosts and deceptive subject lines or texts, they try to evade the victim's defenses — email filters and natural skepticism. In most cases, the degree of mimicry is small: for example, a spammer might simply use one address at a given domain in the 'From' line of a message sent to a second address at the same domain, knowing that email filters — or users — may be more receptive to messages that appear to come from friends or colleagues.

Spammers and scammers also practice mimicry on a larger scale. For example, the Canadian Pharmacy pill spammers often send out messages that outwardly resemble newsletters from known high-volume senders. The messages duplicate not just the 'From' line and 'Subject', but also large chunks of newsletter text, including many distinctive names and keywords. The spam payload is hidden away inside, making up only a small portion of the total text. Only when the message is rendered by the recipient's email client is it revealed for what it is: another pitch for fake pills.

In nature, a sabre-toothed blenny that wants to benefit from the cleaner wrasse's special "All Areas Access" pass has to laboriously duplicate the wrasse's identifying characteristics through natural selection, a process that takes tens if not hundreds of millions of years and involves large numbers of blennies who didn't eat or got their heads bitten off because their mimicry wasn't convincing enough. In the spam ecosystem, spammers can duplicate a desirable phenotype in seconds, dropping their spam payload into the body of a digital 'host' document and sending it on its way.

Today's example consists of a message apparently sent by an organization called Haiti Outreach, soliciting funds for earthquake victims in Haiti. The message, highly professional in appearance, contains embedded graphics and links to a website, haitioutreach.org and a payment processor, Obopay.

From the fact that the message was sent as unsolicited email, I immediately suspected a scam. My first guess was that the organization and the website were fakes, hastily created in the wake of the disaster to lure unsuspecting victims. A quick search in Google, however, revealed that the organization enjoys a reasonable reputation, with plenty of recommendations from trustworthy sources and a substantial 'web history'. There doesn't seem to be any reason to suspect either the organization or the payment processor.

I took a closer look at the URLs. They all went where they were supposed to go. Phishers will often display one URL while sending victims somewhere totally different, but both the displayed and actual URLs matched up. Then I saw the hook.

The message says"You can make a donation to Haiti Outreach using Obopay in these ways:". The second way, according to the message, is to set up a widget on your website. But the first way is to:

Go to www.westernunion.com on your internet browser and log into your Western Union Account to send money. Then select "Send Money" and send it to
Name: Joseph Onuorah,
Address: Baltimore, Maryland, USA.
Test Question: What for
Test Answer: Haiti Relief

and there's the scam. All Joseph Onuorah (if that is his name) had to do was to take a real Haiti Outreach newsletter and substitute a single block of text, replacing whatever payment method had actually been recommended with instructions for using Western Union to send him money. The actual effort involved is minimal. Moreover, the complete text of the legitimate newsletter works on his behalf, carrying his payload through the spam filters and lulling the victim's suspicions. Joseph Onuorah's scam has put on the appearance of a benign message, done its little dance, and now it's ready to bite off a chunk of flesh and high-tail on out of there.

The nature of digital documents makes it trivial to build a malicious message by taking a benign one and making only minor modifications. I suspect that Mr Onuorah won't be the last scammer to try something similar. Moreover, our defenses against this are still at a very primitive stage. Email is a hugely naive and trusting communications channel, designed in a simpler age when everyone you might communicate with was assumed to be inherently trustworthy. Ultimately, digital signatures may come to be a standard part of our communications repertoire, precisely in order to foil attacks of this kind (let's not think for the moment about what happens when a 'secure' system used to create digital signatures proves to be not-so-secure after all). But in the meantime, the aggressive mimics are having a field day.