Adventure into the male psyche that helps spammers make money.
By Eh’den Biber
This is the story of the spam email, the vulnerabilities it exploits, and the remediation actions required to it.
How we got here?
As was written many times in the past, the internet was never designed to be internet, it was intranet from a trust perspective – and protocols RFCs that were developed on top of it never imagined that it will run on dog collars. I kid you not.
Modern email systems can be configured pretty effectively to block most of the spam. You want to do it not only because it’s a great way to make employees click on links that might lead them to bad places, it’s also because the sheer amount of storage these annoying things require. So technically we can and should talk about the wide list of controls that you could and should implement in order to stop major amount of shit from hitting your fan. We can talk about how to configure the bastioned email gateways in another time and on the way there you want to listen to some good advice I hereby give you Wolfgang Goerlich:
When Spammy met Harry
For this section, I will focus on the human element. Assuming a spam email managed to pass the spam filter you will assume that no person in his right mind will go to the spam folder and open emails in it, right? Well, if we did our work correctly, they shouldn’t. However, spam filters are not bullet proof, they do fail from time to time, and many people, including yours truly, had to learn it the hard way. My CISA certification got lost because I didn’t receive the notification to report CPEs on time, and when I tried to contact ISACA and ask them to update it I had to fight for months, ask for a favour from a friend who worked at the ISACA board (yes!) and even after all of that they then refused to accept my CPEs. It was not nice, and if anyone who is a member of ISACA and can help me here, I will be happy to know about it! (Dream on, baby!)
The true fact is that most people will go from time to time to check their spam emails. Actually, as the spam filters getting better and the amount of spam that pass the filters is lowered, why shouldn’t you? If you see one message sitting in your spam folder it is worth a chance to check it. The behaviour pattern that spammers are utilising is our “Dopamine Slot Machine”, which creates everything such as our addiction to our social media feed. People go to spam mailboxes. It’s an evolutionary fact, because if it wasn’t true spammers wouldn’t be reaching the required mass to operate from a financial standpoint.
And in any case, we always need to remember the statistics: idiots outnumber by a far stretch the Neil Degrasse Tyson of the population.
With that said, the scene is ready for the spam message itself.
Why it works?
The email subject is:
How does it feel to be a loved one? I wish to feel it someday.
First, a comment, and a very important one.
We assume that to feel “being loved” someone else must do it (to us), not via us loving others. The truth is that you truly feel being loved only when you love someone else unconditionally. It’s a strange thing, totally counter intuitive. As Justin from “Smarter Every Day” said about the backwards brain bicycle: “Once you have a rigid way of thinking in your head, sometimes you cannot change that, even if you want to” – it’s true in bicycles, and it’s true in our perception of love.
Back to our story: when we open the email, we see we got a message from “a girl” name Tatyana, from Russia. Not a woman – a girl. Are you adopting a child? Not, and we are not in Japan (at least up to 2014), so stop trying to look for girls!
You learn it is a smart “girl”, middle class, a doctor from Russia. Doctor to what? We have no idea. How old? We don’t know, and we don’t mind she doesn’t tell. Hint to the Casanova – if a woman trying to hit on you, and she tells you about herself and do not mention an age it’s most likely not a woman. A real woman will always tell her real age – minus a decade or two.
She mention that she’s from Bryansk. You never heard of Bryansk which make sense because many Russians don’t even know where it is. Who cares, she’s a girl, right? And she is lonely!
Then she tells you she was dreaming of meeting a stranger from another country because she saw it in films.
OK – summary: a woman who refuse to admit how old she is, who calls herself “a girl” (which means he has severe maturity problems), and who is dreaming to meet someone from another culture, think that’s it is going to work because we all know Hollywood makes ONLY documentaries. Right? And until now not even a sign of alarm to you? Don’t you even think “how the heck she found me?”, or question the fact the email comes from Poland, but how could you tell if you never took the time to learn domain suffix meaning?
Great, let’s continue! Then she tells you she found a website “where thousands of young women like me had registered and found the love of their life”.
HOLD ON.
So, she tells you that there is this website in which you might find even MORE desperate women who might even be able to ignore your behaviour patterns that destroyed all your previous pathetic attempts to establish a connection with a female partner? Someone who could live with your inability to show your emotions because she is a strong Russian woman who never smiles, exactly like your mother? Could it be that her city is near a nuclear and chemical waste facility, which will make her immune to the smell of your farts, and to cherish the dirt in your apartment that manage to scare away even the cockroaches?
You’re getting excited! You think to yourself “Could it be that you found a woman as desperate as you are to feel a human touch? Could it be true?”, you ask yourself. Then she tells you: Just click below, go to the website and find me there.
“The force is with me!” you say to yourself, out loud, waving your imaginary light sword.
STOP.
Sunny boy, let me give you a small advice about women, a subject I see you might have little if any experience with. Women don’t share their man, and will shut down competition faster than you can blink. If there was a first-person shooter in which a woman hero is going on a journey to eliminate all the threats she has from other woman that might be stealing her man from her, women would have been dominating the game. If there ever be such a game, any women, even fully drunk will be able to kick your ass. Women would butcher every bitch that would come within a mile their man, if they feel there is a danger to their relationship.
The fact that you believe that a single woman will just share a website that will have thousands of other women that can compete with her on your heart is simply sad brother, so sad.
Please don’t click… please… ohh too late.
Afterthought
So yes, this is how man fall for such spam emails. And before my beloved sisters will feel they are better – oh, you’re so at risk as well. I personally know enough women who will click on a link to a fake sales site faster than men will click on links to porn sites.
Spam works because most human beings are lost in their mind. In different degrees, in different ways – but lost. Our unwillingness to admit it is in the heart of our information security problems.
And because we are all so tired to be alone.
Remember – security is a perception. The bigger the gap between perception and reality, the bigger the risk you are in. The solution is simpler than most people can think of, and it brings us back to the beginning of the story: until you practice giving unconditional love you are vulnerable.
Namaste
Eh’den
