Weirdest spearphishing attack ever?

I received the oddest spearphishing attack the other day. At least, I’m pretty sure that’s what it was, though can’t be 100% positive. Here’s the correspondence, with the name changed slightly to protect the innocent (if she is innocent, which I highly doubt).

From: "Marina Mitropoulos (ABCTours)" <express@abctours.gr>
To: <kfogel@red-bean.com>
Subject:  urgent!
Date: Thu, 25 Oct 2007 13:43:07 +0300

Dear Mr Fogel,

I would like your help in a very serious matter.

Recently, my boss received an unknown senders email referring to me
and accusing me for many terrible things that are not true and my job
place is in jeopardy right now.

I need your help to find this persons Id or even the password of his
email. I want to find out who’s this person that is trying to ruin my
life.

The email that this message came from is: gianluigi.farina@alice.it

Will you please help me?

Im waiting for your kind reply,

Thank u

Marina

Now, I didn’t read that original mail when it first arrived. When email from an unknown sender has the subject line “urgent!”, I don’t even consciously process it as spam anymore — a couple of neurons somewhere in my brainstem take care of hitting the Delete key, while I go on to read the next subject line in my inbox.

But then came another message from her:

From: "Marina Mitropoulos (ABCTours)" <express@abctours.gr>
To: <kfogel@red-bean.com>
Subject: KNOTSPAM  Hi, Karl, long time no see...
Date: Thu, 25 Oct 2007 15:57:12 +0300

    Dear Mr Fogel,

    [...the rest is the same as the original...]

Whoa. Only a human could have sent that, because it had the “KNOTSPAM” marker signifying that the sender has read my web page explaining how to send me email that won’t be mistaken for spam. So she was real, and she was trying to talk to me in particular.

(Note the “Hi, Karl, long time no see…” in the new subject line, by the way. This was a lie: as she later admitted, she was a complete stranger.)

Now somewhat intrigued, I replied:

From: Karl Fogel <kfogel@red-bean.com>
To: "Marina Mitropoulos \(ABCTours\)" <express@abctours.gr>
Subject: Re: KNOTSPAM  Hi, Karl, long time no see...
Date: Fri, 26 Oct 2007 13:44:36 -0700

Do we know each other?  What makes you think I can help with this?

When I received your first mail, I assumed it was spam.  But then I
received your second mail, with the "KNOTSPAM" marking in the subject
line, which means that you read my web page and figured out how to
send me email.  That was a surprise.  But I don't recognize your name,
and I have no record of ever having exchanged email with you before.
If we are acquainted, I apologize -- I do not have a good memory for
names.

Who are you?

-Karl

She replied a day or so later:

From: "Marina Mitropoulos (ABCTours)" <express@abctours.gr>
To: "Karl Fogel" <kfogel@red-bean.com>
Subject: Re: KNOTSPAM  Hi, Karl, long time no see...
Date: Mon, 29 Oct 2007 10:20:58 +0200

Dear Karl,

No, we do not know each other, I work for a travel agency in Greece,
my name is Marina Mitropoulos and as I wrote you in my previous email
I am in a jeopardy to lose my job because of some idiot that is trying
to make me look very bad at my boss's eyes.

Unfortunately, this person did a good job by sending all he/she wanted
through a free account email from a foreigner provider.

I don’t know to whom to turn to find out the truth, I’m not
interesting in to read his/her emails, I only want to find out from
where (country/area) this account was opened and if there's any real
name given, or if nothing of the above if I can at least read some of
other emails and try to understand to whom it could belong to by the
way of writing..(I hope you understand what I’m trying to say)

I understand that this could sound a bit unorthodox to you, but If you
can help me I would very much appreciate it.

I have tried even with a private investigator but here in Greece
things are not so easy to find out a thing like that as it is in
united states…

I have searched the internet for trying to find anything I can on my
own, but I’m clueless with these things and I only end up paying some
stupid site for promising me to find it and at the end they couldn’t
even find my work emails details… anyway…

I deeply apologize if I caused you any kind trouble, it was not my
intention,  I only need help if you can please...

If you wish to contact me here's my phone nr +306974301136

I thank you again even for reading this email and for responding to it…

I m waiting your response,

Thank u again.

Marina Mitropoulos

Hmmm, a phone number! Why, I remember when I couldn’t pry that out of a woman at a bar for all the charm in the world… and now they’re throwing them at me by email. I love the Internet! Just kidding. Here’s how I responded:

From: Karl Fogel <kfogel@red-bean.com>
To: "Marina Mitropoulos \(ABCTours\)" <express@abctours.gr>
Subject: Re: KNOTSPAM  Hi, Karl, long time no see...
Date: Mon, 29 Oct 2007 10:25:37 -0700

I can't help with your problem.

But I'm fascinated that you picked a complete stranger at random on
the Internet to ask for help.  That seems very, very odd.  I don't
think it's likely to solve your problem.  Most strangers would be
suspicious that maybe you have some other motivation.  For example, if
someone's telling lies about you on the Internet, then it's just as
easily possible that you are telling lies about yourself: from an
outsider's point of view, neither one is more likely than the other!

If she’s a spearphisher, she’s going out of her way to keep her cover. She stayed in character to reply:

From: "Marina Mitropoulos (ABCTours)" <express@abctours.gr>
To: "Karl Fogel" <kfogel@red-bean.com>
Subject: Re: KNOTSPAM  Hi, Karl, long time no see...
Date: Tue, 30 Oct 2007 10:01:33 +0200

I see your point and I totally understand... and in this case there is
no point for me to try convince you otherwise.

Just informational, I dont have any motivation to get into this email
and snoop around for fun, I need it to find out who is trying to hurt
me… and this action to “picked up someone random” on the internet , it
shows how really desperate I am to find out the truth.

I thought you could do something to help, but I see now how silly it
might seems to you all this and Im very sorry I disturbed you but I
thank u deeply for even replying to my mail.

Marina.

I have no idea what to think now (other than I love the Internet!, of course). Searching for her real name gets exactly one hit, on a web page at the same ostensible Greek travel agency as her email address. On the off chance that she’s telling the truth, I’ve changed her name, and that of the travel agency. But not her number: if you want to get in touch with her, go for it, and good luck!

5 Responses to “Weirdest spearphishing attack ever?”

  1. Scott Carpenter Says:

    Wow — that really is strange, to invest so much effort in such an odd line of attack.

  2. Lev Says:

    This is indeed very interesting. Her English is at near native speaker level, as is her comprehension of your rather subtle reasoning. Yet the scheme is entirely transparent. If you were to go to the effort of directly spearphishing a mark, wouldn’t it be much more compelling to make the hook more plausible than “I’m appealing to random people on the internet?” Perhaps spinning a yarn about how the anonymous denunciation appears to have originated from your domain, or that your name and/or website was referenced in the accusation, or even that you had been recommended by a mutual friend as someone who could help. Very strange… keep us posted.

  3. Karl Fogel Says:

    I’ve been seriously tempted to call, just to see where it leads (an all-expenses-paid tour of Greece?). But not from my own phone. From a pay phone… using a calling card… that I bought with cash.

  4. Matt Braithwaite Says:

    Call her up. Have an adventure. What’s the worst that can happen? You end up dead in a ditch in Sardinia?

  5. Karl Fogel Says:

    No, the worst thing that can happen is the Americanization of James Bond. Oh, wait, that’s already happened. Maybe I should call her!

Leave a Reply