This past month, there's been a fair amount of discussion between my friends about spam (well, I call it discussion. Mostly it's a couple of nimrods who've decided to forward their spam to one another, and put me on a CC list for their 'conversation.' That, and dick jokes. Still, it's just about as high-level a conversation as you're likely to see in my inbox). So I've been thinking about spam a lot. And then I started to noticing a new phishing technique show up in my inbox. Here's one I just got:

Dear Member,

We are glad you joined Pet World.

Confirmation Number: 935727481659
Login ID: user1206
Temorary Password: qv339

Be Secure. Change your Login ID and Password.

Follow this Link: Pet World

Thank You,
Internet Support
Pet World

Now - this is brilliant. Why is this brilliant? Because people, by and large, are not security conscious (I first wrote "are idiots," which is unfair. Not untrue, perhaps, but I'm certainly not prepared to defend that statement in a blog post). As an admin for a once-popular site with a login feature that is as insecure as it is useless, I learned that people will use the SAME EXACT password and login for everything. I have an entire database chock full of people who have given me their primary email address, most used login name, and common password. Which brings us to the above spam.

I've seen a couple of different types - Pet World, Car Magazine, Alpaca Herder, etc etc. You get this message that you've got a login that's been setup and say to yourself "Hey - I'm interested in Alpaca Herding! I must have signed up for this site and forgot about it!" You go to the provided address (which, by the way, is just an IP address, no domain name), and change the login and password to the one you use for everything else. And then you're owned.

This isn't *too* much different than other techniques, but there are a couple of subtleties that I think are brilliant, and quite worth mentioning. First of all, they are not misrepresenting themselves. Phishing techniques that send you to a replica of your banks website are definitely illegal, no question. But this is a little hazier. It's not like they are pretending to be a bank, so is the act of telling you to go this petworld website illegal? Clearly the action they intend to take with your information is, but even after you've given them your information, the only crime they've committed is that of spamming.

The other thing I like about it is that it blurs the line between phishing and spear phishing (which is targeted phishing - the generation of a phishing email specifically crafted to a particular person. This is a useful technique when you are trying to achieve a particular goal or hack: If you know information about the head of HR for a company, and can elicit a response that includes an excel sheet with SSNs for the employees, you've done much more with a single email than you possibly could with a single spammed phishing attack). The fact that you can spam address with these "Change your login!" emails from 'websites' with pertain to a range of interests means that eventually you are going to hit on something that your Aunt Edna (the Alpaca herder) is going to be interested in.

"Yup - skydivingwithmypig.com definitely sounds like a website I would have logged into."

Quite frankly, it's kind of brilliant. I'd want to shake the hand of the guy who thought if it, if I didn't want to kick him in the balls.