Contact form spam
A friend received the following, below, so I deconstructed it for her, advising that it was “dodgy as heck, do not follow the link”.
This is a mass spam to get unwary people to click on the link, which will almost certainly install malware or the like on your computer.
Sent: Saturday, February 29, 2020 7:01:19 AM
Subject: New Message From …
A message has been received from the … The following details were submitted:
Hi, We are very interested in the services you offer and we would like a collaboration! However we have some concerns about some reviews left on your facebook page form two persons …. can you please confirm that you have solved the problems with them … please find below the facebook reviews link to see what they say …… http facebok-com-618575 .9874498 .pw /page/?iilja25ytjsf0sveyoc66j32q
Here are some of the reasons I know this is risky:
1) Name: Robertkeymn
Name ROBERT … Email SUSAN – the spammer is a moron.
2) Phone: 83166174874
The number is a random string, and even if deconstructed to 831 617 4874 would be a California code (the 831 or the 617, but not both together)
3) Please click here (split): facebok-com-618575. 9874498.pw /page/?iilja25ytjsf0sveyoc66j32q
In email you HAVE to deconstruct / separate all web addresses before you click on them, even if it’s from someone you know and trust, ‘cos it might not be them.
So, first off, it’s not going to Facebook – or even Facebok (!), it’s going to 9874498.pw
.PW is country code top-level domain for Palau, if you are curious.
Can you really see Facebook spelling their own name wrong?
facebok-com-618575. … is a subdomain, a folder on 9874498.pw, the number is probably either the spam ‘campaign’ reference, or the spammers’ reference.
4) “Hi, We are very interested in the services you offer and we would like a collaboration! However we have some concerns about some reviews left on your facebook page form two persons …. can you please confirm that you have solved the problems with them … please find below the facebook reviews link to see what they say ……”
I won’t list all the reasons this is suspect, but here’s a few:
i) The target victim does not offer services, therefore it’s shotgun spam.
ii) It should begin “Hi. We…” or, less correct, “Hi, we…” NOT “Hi, We…” Bad grammar is a giveaway.
iii) “However we have…” – it should be “However, we have…” more bad grammar.
iv) “your facebook page” – It’s Facebook, not facebook.
v) “your facebook page” – if it was genuine they would link the page, YOUR page, they do not.
vi) “facebook page form two persons …” – ‘form’ instead of ‘from’.
vii) “facebook page form two persons …” – ‘persons’? NOT ‘people’? And only two?
viii) “facebook page form two persons …” – More nerdy, but an ellipsis does not have a preceding space.
ix) “can you please” – Sentences begin with a capital letter.
x) ” with them … please” – Again, does not end in a period, unnecessary ellipsis, and doesn’t start a new sentence with a capital letter.
xi) “facebook reviews link” – lower case name, again.
xii) “say ……” No period and they are clueless about an ellipsis.
OK, you might argue that it’s just an email, that it doesn’t matter, though I would beg to differ on that point! Regardless, it’s an email purporting to be from an interested business party, that makes a difference.
then they offer a seemingly American phone number (strike 2),
along with a web address that belongs to a tiny group of islands in the middle on the Pacific ocean (strike 3, yer out!)
That’s before we point out that archipelago’s official language is English (and the local dialect), yet they manage over a dozen errors in a single paragraph.
And they want you to trust them for a business ‘collaboration’.
5) This also means your address has been harvested by spammers and you will get more, so be wary, always.
6) This type of spam is directed at contact forms, particularly contact forms lacking spam filters such as reCAPTURE, which is more or less free from Google*. This represents a security issue with your web site.
*(There is a scaling fee, but most sites won’t get enough traffic to encounter it).
7) Additionally, as I’ve mentioned before, your website is not secure (no green padlock for https).
Furthermore, Google (etc) does not like such sites and downgrades them.
8) As a bonus, which further solidifies my low opinion of the spammers, they could – as many do – have tried further misdirection, such as saying the link goes to ‘here’, but actually linking to the target address, ‘there’.
As below, before clicking you should always check that a link is going where it says or suggests it is going. Just look in the bottom left corner of your browser or mail client. If it doesn’t have this facility, you might want to change it!
As an aside:
I did go on to point out (again) my less than admirable view of her web developer.
Her developer has a history of making mistakes, or to be more diplomatic, unprofessional (read stupid and append negligent) choices – and then, when they are pointed out, ignore the problem for a few months, then bill his clients to sort HIS mistakes finally.
You have one job, mate!
Who leaves their server unpatched so that they can bill their clients to secure it at a later date?
Seriously, what sort of web developer intentionally disables automatic backups and security patches so that they can bill customers to apply them quarterly?