Getting SpearPhished

MattSpeller

Happens to us frequently and they appear quite legit with correct names and addresses. Here's a sample, admittedly a poor one as it's lacking the usual attention to detail we see.

We've pushed to have all names removed from our website as we suspect that's where this is coming from.

-----Original Message-----
From: $CEONAME [mailto:$CEOEMAILADDY]
Sent: Friday, November 20, 2015 9:56 AM
To: $FINANCECONTROLLER
Cc: $FINANCECONTROLLER
Subject: Urgent Request

Hello $FINANCECONTROLLER,

How are you doing? I need you to process an electronic bank transfers for me with some other few transactions today but first,i will like you to handle the electronic bank transfer.Can you handle this now?Get back to me immediately for the beneficiary details.

I will appreciate a quick response from you.

Thanks
$CEONAME.

stacksofplates

Do they think people email each other like that.

Good Morrow Sir,

I hope you are well, but lets dispense with the pleasantries. I will need a transfer of funds from the financial institution, post haste. Please inform me of the financial details.

Best Regards,

WingCreative

@johnhooks said:

Do they think people email each other like that.

Good Morrow Sir,

I hope you are well, but lets dispense with the pleasantries. I will need a transfer of funds from the financial institution, post haste. Please inform me of the financial details.

Best Regards,

I've heard a theory that scammers intentionally mangle the grammar in their emails so they pre-screen the people that are going to catch on quickly and only get responses from people that are most likely to fall for the whole scam... No idea how true that is as I'm not a scam copywriter, but it does explain why no scammers seem to have any grasp of grammar and/or how people actually talk.

stacksofplates

@WingCreative said:

@johnhooks said:

Do they think people email each other like that.

Good Morrow Sir,

I hope you are well, but lets dispense with the pleasantries. I will need a transfer of funds from the financial institution, post haste. Please inform me of the financial details.

Best Regards,

I've heard a theory that scammers intentionally mangle the grammar in their emails so they pre-screen the people that are going to catch on quickly and only get responses from people that are most likely to fall for the whole scam... No idea how true that is as I'm not a scam copywriter, but it does explain why no scammers seem to have any grasp of grammar and/or how people actually talk.

Oh, that kind of makes sense.

scottalanmiller

Same theory that people will specifically go after people who change port numbers because it flags them as 1) having something to hide 2) not aware of how security works 3) thinking that obscurity is going to protect them.

MattSpeller

@johnhooks said:

Do they think people email each other like that.

Good Morrow Sir,

I hope you are well, but lets dispense with the pleasantries. I will need a transfer of funds from the financial institution, post haste. Please inform me of the financial details.

Best Regards,

Not far off actual email convos I've had

MattSpeller

@WingCreative said:

@johnhooks said:

Do they think people email each other like that.

Good Morrow Sir,

I hope you are well, but lets dispense with the pleasantries. I will need a transfer of funds from the financial institution, post haste. Please inform me of the financial details.

Best Regards,

I've heard a theory that scammers intentionally mangle the grammar in their emails so they pre-screen the people that are going to catch on quickly and only get responses from people that are most likely to fall for the whole scam... No idea how true that is as I'm not a scam copywriter, but it does explain why no scammers seem to have any grasp of grammar and/or how people actually talk.

I believe you're correct however the last few we've seen were spot on correct, down to punctuation, spelling, grammar and capitalization.

stacksofplates

@scottalanmiller said:

Same theory that people will specifically go after people who change port numbers because it flags them as 1) having something to hide 2) not aware of how security works 3) thinking that obscurity is going to protect them.

So changing 22 to 2222 doesn't help?

scottalanmiller

@johnhooks said:

@scottalanmiller said:

Same theory that people will specifically go after people who change port numbers because it flags them as 1) having something to hide 2) not aware of how security works 3) thinking that obscurity is going to protect them.

So changing 22 to 2222 doesn't help?

Exactly, might actually make it worse.

We had to change one just like that this week due to a port conflict and I felt myself shudder because it is such a bad practice.

stacksofplates

@scottalanmiller said:

@johnhooks said:

@scottalanmiller said:

Same theory that people will specifically go after people who change port numbers because it flags them as 1) having something to hide 2) not aware of how security works 3) thinking that obscurity is going to protect them.

So changing 22 to 2222 doesn't help?

Exactly, might actually make it worse.

We had to change one just like that this week due to a port conflict and I felt myself shudder because it is such a bad practice.

I've seen soooo many bad tutorials actually tell people to do that because then it's harder to figure out. Well not really when all you need is nmap and it tells you which ports are open.

scottalanmiller

@johnhooks yup, every script that is trying to hit you already checks for the ports to be open, not specific ones. Someone attacking you would never even realize you had changed the port unless they are specifically getting a report of people who had done so, presumably because that would mean that they are better targets to focus on.

stacksofplates

@scottalanmiller said:

@johnhooks yup, every script that is trying to hit you already checks for the ports to be open, not specific ones. Someone attacking you would never even realize you had changed the port unless they are specifically getting a report of people who had done so, presumably because that would mean that they are better targets to focus on.

Plus if nothing else, it's annoying to remember.

MattSpeller

@johnhooks said:

@scottalanmiller said:

@johnhooks yup, every script that is trying to hit you already checks for the ports to be open, not specific ones. Someone attacking you would never even realize you had changed the port unless they are specifically getting a report of people who had done so, presumably because that would mean that they are better targets to focus on.

Plus if nothing else, it's annoying to remember.

The reason I keep standards

scottalanmiller

@johnhooks said:

@scottalanmiller said:

@johnhooks yup, every script that is trying to hit you already checks for the ports to be open, not specific ones. Someone attacking you would never even realize you had changed the port unless they are specifically getting a report of people who had done so, presumably because that would mean that they are better targets to focus on.

Plus if nothing else, it's annoying to remember.

Which alone is considered a bad security practice.