Phishers Are Getting Lazy

Back in the early to mid-1990’s, access to email really was free, though the general Internet was rather expensive.  AOL would charge $9.95 US per month for up to five hours in that month (no rollover), and then $2.95 US per additional hour[1].  CompuServe, which – at the time, I preferred over AOHell – was a whopping $12.80 US per hour for basic and $22.80 US per hour for web access.  They then generously reduced their cost to just $8 US and $16 US per hour, respectively[2].  My favorite ISP of the time, however, was Prodigy — which was a mere $9.95 US per month for up to five non-rollover hours, then $2.95 US per additional hour[3].  That’s without remembering, of course, that some new providers like MSN were coming out with flat-rate plans.  And the best part was that – remember this?!? – Internet access was like old home phone plans.  Nights and weekends were cheaper, while business hours were considered “peak times” and would cost more.  And that’s not including anything about the speed of your modem and how those rates were considered “premium” rates and were also billed accordingly.

Price didn’t matter, though.  I was a teenager without a credit card, and my mother thought the Internet was too dangerous.  Thankfully, many of the dial-up ISP’s of the time were all-too willing to offer free trials, and they did a poor job of keeping track of who tried what, when.  You couldn’t keep an always-on connection, but if you spread it out among several, you could connect for a good 5-10 hours per week.

Obviously, I’ve seriously digressed here.  Far enough from the opening statement of free email, and a universe apart from the title of this rant.  Be patient.  I’m coming full-circle in a few moments, starting with the free email bit.

Circa 1996, I’d seen my first commercials for a new free email provider named Juno.  I called their toll-free number and requested a 3.5″ floppy disk with their software, and about two weeks later, I was online.  The problem with Juno at the time was similar to that of all of the other ISP’s of the era — if you lived outside of at least a moderate suburban area, you had to pay per-minute long-distance charges to reach even the nearest access number.  Insult to injury.  So, yes, Juno was free, but in the 717 area code of Pennsylvania back in 1996, the nearest access numbers to us at the time were in Wilkes-Barre.  That meant variable per-minute connection charges, beginning with about a $1.29 first-minute “connection charge.”

There was good news, though.  Juno provided a toll-free number to dial in and select your nearest access number, based upon your area code.  So if you put your area code in as 800 or the all-new 888 – both toll-free in the US and Canada – you were presented with a short list of access numbers.  And sure enough, they worked just the same as the long-distance access numbers.  Suddenly my mother didn’t care what time I checked my email anymore.  It was 100% completely, totally, absolutely free (for us).

For a while, an added bonus was that Juno – being an Internet email service, not just an internal network provider – had a likely unintentional (but very welcome) side-effect: you could tunnel through and access the wonder that was the 1996 World-Wide Web.  And on top of that, you could use direct hostnames and IP addresses to reach the proprietary areas of AOHell (such as chat rooms, the only decent thing of AOHell over any other provider).  Juno would cut you off after several moments of inactivity in their email software, which you couldn’t minimize as normal, but some simple scripting and – voila! – free Internet access that would stay connected for about two hours at a clip.  I had eventually coupled that with a redial script and, eventually, found a way to avoid using the Juno client altogether.  Looking back, it probably violated their Terms of Service or something, but I wouldn’t have even imagined, at the time, that I was doing anything wrong.

Over time, other actual free online services came out, including Altavista Free Internet (my favorite), NetZero, K-Mart Bluelight Internet, and Lycos Free Internet.  As you could probably imagine, nearly all of the free Internet providers at the time had either a parent or partner company in common.  In fact, with the exception of a short stint as an (extremely dissatisfied and overcharged for months after I canceled!!!!) AOHell $23.99 US monthly subscriber, Altavista Free Internet was with me through a good part of my time at college.  They installed a bar at the top of your desktop that took up about 15-20% of your vertical screen real estate, and in that there were basic controls (disconnect, close), a large banner (which was probably just the 468×60 standard), and a meter on the right side.  The meter would count down to let you know how much time you had before you either clicked the banner or were disconnected.  It didn’t take long to develop a background script that would send the same signal to Altavista’s servers as the clicking of the banner — but without disrupting my surfing session.  I could leave the system running for days on end on a good connection, and the auto-redialer would pick up the slack.

Eventually, I got a notice from them for violation of their Terms of Service for the manner in which I was remaining connected.  It was at that point that I realized, “hey, genius, maybe what you’re doing is wrong.”  Unfortunately, it was too late — they permanently blocked that computer and phone number.  I could dial in with another computer and *67 to block the number, but to be perfectly honest, I was too scared to go back to trying to get it the free way.  Guess I would’ve sucked as a cybercriminal.

So now, finally coming back to my original point – and the title of this useless drivel – about how phishers are getting lazy….

It was about the summer of 1997, and my awesome Yahoo! email account (my actual Yahoo! account, not my Rocketmail account ;-P) was the conduit by which a grieving widow of a recently-deposed Nigerian dictator, in a desperate attempt to escape the oppression of the new regime, begged my help to transfer roughly $13 Million USD into my bank account.  See, her husband – a former General-turned-dictator – had been killed in a helicopter crash while trying to flee his collapsing government.  His widow pleaded for my help in transferring the money to the US, where she and her now fatherless children would soon reunite.  Logically, she would then ask for the money to be returned, but for my part, I would be permitted to keep 10% ($1.3 Million USD) plus any interest earned while waiting for her arrival.  She would cover all of the fees of the transfer, attorney’s fees, and coordinate everything herself.  All I needed to do was promise that I wouldn’t keep her money (my word was good enough), and then provide her with my checking account number, bank routing number, Social Security number, full name, address, birthdate, phone number, and – because the bank would require it for verification – my mother’s maiden name.  I was told that the reason I was being asked was because of my reputation online; that I was well-known in their part of the world, and revered.  I was ordered to keep this in the strictest confidence, so as not to risk her safety or the safety of her children.

At the time, I did have a bit of a reputation for a variety of things which I won’t mention right now, but suffice it to say, under different nicknames, I did have some recognition in a few independent technology publications and BBS networks.  That must’ve been how she knew of me.  The email had my name throughout it, and mentioned different activities and websites I ran, as well.  It genuinely looked to me, at the time, as though it was written especially for me, by someone who really knew (or knew about) me and my life.

Well, I didn’t really obey her order of confidentiality, because it seemed “fishy” (yes, exactly as I said it at the time).  I called my uncle in Virginia and explained things to him.  At the time, he was still working for the now-defunct INS (Immigration and Naturalization Services) division of the Department of Justice.  He, too, said it didn’t sound all that legitimate, and asked around his network of colleagues.  He eventually learned – and informed me – that it was a newer take on age-old scams.  He also said that he had been told to tell me (presumably by someone in the FBI, since it was all DOJ) to “delete the email and never, ever reply to any like it.”  That was an order I did obey.

At the time, phishers would personalize their attacks a bit more.  Work a bit harder, get a good payout when you finally hooked a sucker.  Get to know your victim, blah, blah, blah.  Now they just blast out emails saying you won the lottery or something.  Some of my favorites are the ones that just have a basic email subject such as “hi” and nothing in the body but:

reply me now
name ……………………
email ……………………..
phone ………………….
credit card # …………………
expiry ………………..

I’m not joking.  I get about two dozen of those per month.  That’s really lazy…. but does anyone actually fall for that?

So today, I got one that prompted this long-winded, ranting exercise in circumlocution.  It didn’t make up a story saying that they were rich, powerful folks who needed my help in exchange for a handsome reward.  It didn’t beat around the bush.  It didn’t even offer to give me anything at all in return for my efforts…. but it still had a nice story.  I guess the phishers are getting too lazy to come up with anything but random begging.  Check it out:

Hello,

How are you doing? Honestly, I’m doing pretty awful! I’m in
Madrid,Spain and a lot of crap has been spewing.

I was mugged last night in an alley by a gang of thugs on my way back
from shopping, one of them had a knife poking my neck for almost two
minutes and everything i had on me including my cell phone, credit
cards was all stolen,quite honestly it was beyond a dreadful
experience for me but looking on the bright side i wasn’t seriously
hurt or injured and am still alive so that is whats important.

I’ve reported to the cops here and canceled all my cards,it appeared I
had acted quickly enough or they almost would have succeeded in
cleaning out my bank account. I’m really having some difficulties
clearing my hotel bills and also need to pick up a voucher ticket at
the counter for me to catch a flight back home in a couple of hours.

I was wondering if you could please loan me some money pending when i
get things straighten out and I promise to refund as soon as i arrive
home safely.

Thanks,
Bob Wan Kim
Marketing Director and Creative Director

Alas, poor Bob, I hardly knew ye.

 

^1: What did Online Access cost (per hour) in 1995? (forevergeek.com)
^2: CompuServe Interactive Services, Inc. Company Profile (fundinguniverse.com)
^3: Eight Good Reasons To Go On-Line – Here’s How To Find The Best Computer Network For You. (CNNMoney, December, 1994)
^4: The Online Timeline by David Carlson

Share

2 comments

  1. sadfsdaflas says:

    asflkdasfasdfsdafdsfsdaf

Leave a Reply

Your email address will not be published. Required fields are marked *