A Mona Lisa of Malware Spam

You can admire the skill of an artist, even if he or she paints a forgery. So I admire, and want to share, a work of art that recently arrived by email. A combination of cynicism and professional pride means I never open unexpected attachments, but I was genuinely impressed by this malware-laden spam. Even Leonardo da Vinci would admire the attention to detail. Like a painting by the master artist, not every detail is immediately apparent.

monalisamalwarespam

So why is this spam so impressive? To begin with, it vaults over the hurdle that defeats most crooks; it is spelled correctly and the use of English is not just grammatical but also elegant. It does miss a word, but people do miss words when they type quickly. Though capable of writing more, the author avoided the mistake of self-indulgence. He or she realized that social engineering works best if victims are encouraged to make quick, impulsive decisions. The text of this message is just long enough to convey its point, but not so long as to encourage more reflection. Many people will open the attached document out of curiosity, without considering the possibility it will download malware.

The signature is not very sophisticated, but that means it looks much like the kind of signature which would be appended to an email from a small business. Few would expect an artisan wine business to be at the cutting edge of internet technology. And the business is real, and those are the contact details for that business. So if you did a quick search on Google, and found the website for Les Caves, you might be encouraged to open the email. Or you would have, until Les Caves thoughtfully added a banner to warn visitors about this spam.

I like the graphic of the wine festival. Again, it is the kind of image that a small business might append to their email. And the festival is also real. Maybe they chose to highlight the Real Wine Fair as a gentle psychological nudge; if the wine festival is real, are we less likely to suspect the email is fake?

Poor Avril Sparrowhawk is probably real too. I could email or phone her to find out, but she has probably been plagued by calls as a result of this spam. Her LinkedIn page looks authentic, and that is good enough for me. If not, then the spammers went to even more trouble to perpetrate their deception.

Those weird characters to the left of the phone and fax numbers appear to be two little slip-ups. But then again, maybe not. Depending on how you look at them, they also add a degree of authenticity, if you correctly guessed why they are there. Anyone who ever received an email containing an unexplained ‘J’ character will have no difficulty understanding why. Just as some people think they are sending a message containing a smiley on their end, not realizing the recipient will see the letter ‘J’ instead, the same substitution can occur with other characters. In this spam, the author tried to use the Wingdings 2 character set. The Unicode characters we see above are the equivalent of the telephone and the printer characters in Wingdings 2. I suppose that means the spammers did make one other mistake – ‘6’ is meant to be a printer, not a fax. They needed to use a ‘7’ if they wanted the proper character for a fax machine.

All of this analysis leads me to ponder. There are several archives of spam and malware, which do a great job of recording the internet trickery of fraudsters and criminals. But has anyone ever collated the best examples of spam, by which I mean the examples which are most likely to fool people? We could learn a lot, by looking at the best forgeries, and understanding how they dupe the unwary. Such a repository would be a literal rogues’ gallery!

Sadly, these deceptions lead to many victims in real life. I feel for Les Caves, who are not responsible for the misappropriation of their email address, and can do nothing to prevent it. I would have bought a bottle of wine from them, out of sympathy for their plight, but their online service has yet to commence. Those of you living near their shop, in Guildford, England, may want to drop in. I will pay them a visit next time I travel to that part of world. And when I drink the wine, I will offer an ironic toast to this Mona Lisa of malware spam, and the unknown artist who introduced me to a new source of fine wine.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.