This page has been robot translated, sorry for typos if any. Original content here.

Spam fraud (letters of joy)

The word "spam" often means only letters of an advertising nature, but this is not entirely true: some types of spam are sent for another purpose. Such “non-advertising” spam, in particular, includes one of its dangerous varieties - fraudulent emails.

Spam technologies allow organizing mass mailing of fake messages, substituting fake sender addresses and using infected computers to unsuspecting users for mailing. It is not surprising that this attracts scammers and cybercriminals of various calibers: the specificity of spam creates the conditions for deceiving users and for hiding traces of criminal activity.

Criminalization of spam is also facilitated by the fact that the initiators of the newsletters are not easy to find due to the anonymity of the emails sent, which means that cybercriminals can count on impunity. Spammers are actively using counterfeit or counterfeit sellers, criminal service providers and virus writers.

This article will focus on fraudulent spam emails sent to deceive recipients of money or gain access to confidential data that can be used to steal users' money.


The most dangerous spam fraud option is phishing .

Using phishing newsletters (phishing from fishing), spammers try to obtain user personal data: logins, passwords (usually to online payment systems), credit card numbers and PINs, so that in the future they can be used for profit . Most often, users of online banking and payment systems become targets of phishing attacks.

Phishing emails mimic messages from reputable organizations (banks, financial companies, payment systems). As a rule, such letters contain a link to a fake page and, under one pretext or another, urge the recipient to enter his personal data, as a result of which they are in the hands of fraudsters. In order to prevent the victim from guessing the fraud, this page is designed in the same way as the site of the organization on whose behalf the message was sent (the sender’s address is also falsified).

In some cases, after entering and sending data, the user's browser was redirected to this site, as a result of which the chances of the victim to suspect something was wrong were practically nil.

Sometimes a user doesn’t get to a fake site, but to a page infected with an exploit. Using a software vulnerability, the exploit installs a Trojan on the user's computer, which collects various information (for example, account access codes) and sends it to its “owner”. In addition, a machine infected in this way can become part of a zombie network and be used to carry out cyber attacks or send spam.

To deceive those who nevertheless pay attention not only to the appearance, but also to the addresses of visited sites, phishers mask the URLs used, trying to make them more similar to the original ones. Phishers started by registering on free hosting domain names that are similar to the domain names of the sites of the organizations under attack, but over time they began to use more and more sophisticated methods for this purpose.

A typical view of this disguise can be seen in the following PayPal client-oriented email:

Only a very attentive person, hovering a cursor over the link in the letter, can notice that the link actually leads to the phishing site. The link is very similar to the address of a legitimate site, but the domain the user lands on is completely different:

In this case, the “wrong” address will be displayed when you hover over the link in the letter, so that an advanced user is able to recognize the fake even before clicking on the link.

There are more primitive cheating options. The user allegedly receives messages on behalf of the administration or the technical support service of a particular service, in which, under various pretexts, it is proposed to urgently send the password from his account to the address indicated in the letter - usually, under the threat of closing this account.

In RuNet, this technique is used by phishers mainly to gain access to users' email accounts. It is worth noting that, controlling the user's mail, fraudsters through password reminder systems can seize his registration data on other Internet services.

Another common method of collecting passwords for mail is to send letters in which everyone is invited to take advantage of the “vulnerability in the password recovery system”, using which, allegedly, you can find out the password of another user. To gain access to someone else’s account, the recipient of the spam message must be sent to a specific address in a specific format, the login of the future victim, as well as your password. Needless to say, the "hunter" himself, who took advantage of a dubious offer, becomes the victim of the attackers?

However, over time, users realized that serious companies never asked to send passwords in letters, and the effectiveness of such traps began to decline. So, at present, spammers have to carefully mask fake letters, as a result of which it is becoming increasingly difficult for recipients to distinguish them from legitimate messages.

Typically, the targets of phishing attacks are Western payment systems and banks with developed online banking and a large number of customers who use them. However, with the development of online banking in RuNet, phishers are increasingly carrying out attacks aimed primarily at Russian users.

One typical example is phishing attacks against Alfa Bank customers. Fraudsters worked according to the classical scheme: the emails sent by them imitated letters from the administration of the bank and contained a link to a fake website on which the user was asked to enter their login and password to access the Internet banking system. The appearance of the page was an exact copy of the main page of the Alfa Bank website. In addition, scammers prepared an unpleasant “gift” for careless users: a malicious program was downloaded when users clicked on a link to their computers. Similarly, attacks were carried out on users of WebMoney and Yandex.Money systems; was targeted several times by Citibank phishers.

Attackers also often try to gain access to users' email accounts by requesting usernames and passwords on behalf of the administration of Russian postal systems.

Spamming Money

In addition to phishing, Internet scammers use many other tricks that allow using spam to lure unlucky users into traps and rob them. Most often, spammers try to play on the naivety and greed of their potential victims, which, however, is characteristic of all scams. To achieve their goals, scammers use various schemes, and the most common of them we will consider in more detail.

"Nigerian" letters

This popular fraud scheme was developed and is actively used by scammers from Nigeria, for which it got its name. However, at this time, scams all over the world are engaged in "Nigerian" fraud.

When implementing the classic “Nigerian” scheme, spammers send letters on behalf of a representative of a noble family (usually living in some African state) who fell out of favor due to a civil war / coup d'etat / economic crisis / political persecution. In classic "Nigerian" letters, the addressee is addressed in broken English with a request to help "save" a large amount of money by transferring it from the account of the disgraced family to another account. For the money transfer service, scammers promise a substantial reward - as a rule, percent of the amount transferred. During the “rescue operation”, it turns out that a voluntary (although not disinterested) assistant needs to transfer a small amount compared to the promised remuneration to complete the transfer / giving a bribe / paying for a lawyer, etc. As a rule, after transferring money, any opportunity to communicate with the “widow of the former dictator” or “the son of the late disgraced minister” disappears. Sometimes the victim is forced to fork out several more times, under the pretext that another unforeseen complication arose.

Sometimes the sender appears to be a high-ranking official who allegedly managed to earn a fairly large fortune with the help of bribes and fraud, but is now under investigation and can not take the money out of the country. To transfer money, he needs to provide access to some bank account. For help, the recipient is offered a certain percentage of the total. It is clear that having obtained the desired control over the account of a gullible user, fraudsters do not leave a dime on it.

What dramatic stories are not told in the "Nigerian" letters! You won’t deny their authors fantasy; it was not for nothing that in 2005 it was the “Nigerian" scammers who were awarded the Antinobel Prize for Literature. Russian stories were not left without their attention: in the same 2005, typical "Nigerian" messages in English were sent on behalf of relatives and people from the close circle of the disgraced oligarch Mikhail Khodorkovsky. This ended the Russian specifics - otherwise there were no differences from the classic "Nigerian" fraud scheme.

Dear friend

I am Lagutin Yuriy and I represent Mr. Mikhail Khordokovsky the former CEO of Yukos Oil Company in Russia. I have a very sensitive and confidential brief from this top (Oligarch) to ask for your partnership in re-profiling funds over US $ 450 million. I will give the details, but in summary, the funds are coming via Bank Menatep. This is a legitimate transaction. You will be paid 4% for your "Management Fees".

If you are interested, please write back by email and provide me with your confidential telephone number, fax number and email address and I will provide further details and instructions. Please keep this confidential; we can't afford more political problems. Finally, please note that this must be concluded within two weeks. Please write back promptly.

Write me back. I look forward to it.


Lagutin yuriy

There is also a romantic version of this spam fraud scheme emails from "Nigerian" brides . Touching messages are sent on behalf of girls living in distant exotic countries. A photograph of a dark-skinned beauty is attached. Typically, scammers carry out targeted attacks - such messages are most often received by users who have registered on dating sites. If a potential victim is included in the correspondence, they tell her a story in the spirit of soap operas: “They killed relatives, are not allowed to leave the country, and I am really a rich heiress ...” In the third letter, the girl already swears eternal love and asks to be taken out of the country along with her millions. All that the hero-savior needs to do is to help transfer millions of orphans from the country, and for a substantial fee. Of course, the assistant is required upfront costs, the amount of which reaches several thousand, and sometimes tens of thousands of dollars. For greater persuasiveness, an imaginary pastor and lawyer are involved in the case. At the final stage of the scam, false documents are used.

Fake Lottery Win Notifications

This type of fraudulent spam is close to Nigerian emails . Fake lottery winnings , allegedly held among random e-mail addresses / phone numbers, and offers to receive “free” gifts as winnings are sent to users. For persuasiveness, such a letter may contain a photograph of the prize and all kinds of “attributes of authenticity” of the lottery - ticket number, certificate of registration / license and other false information. As in the previous case, in order to receive a win, the user, under various pretexts, is invited to make a payment in advance for a certain amount on the accounts indicated by the scammers.

There were Russian versions of such letters, the text of which was clearly translated from the English original using an automatic translator.

Recipients of such notifications must first of all remember that participation in any lottery is impossible without the consent of the user. If you have never given such consent (and most likely you don’t know anything about the lottery in which you allegedly won), then you are dealing with a typical message from scammers who seek to deceive the recipient of money and not at all make him happy with a win.

"Errors" in payment systems, magic wallets, code generators

In spam letters of this type, the user is informed that a vulnerability has been discovered in a certain payment system that allows them to “make a profit”. The following is a description of the essence of the vulnerability and a recipe for making money is offered, consisting, as a rule, in sending a certain amount of money to a "magic" wallet. Fraudsters promise that some time after the transfer, the money will be returned to the user in doubled (tripled, etc.) amounts. Of course, such a “magic” wallet belongs to scammers, and the money transferred to it for the user will be irretrievably lost. Moreover, the victim will not be able to complain (submit a statement to the police: “I tried to hack into the payment system and as a result I lost money”).

Subject: Interesting


Hello! I want to tell you how I was cheated on 150 WMZ, but I recouped. I found somewhere in the network an article about the following content: "There is a magic WMZ wallet in the WebMoney system, and everything that you send to it will be returned to you in triple size !!! Any amount! Send a thousand - get three thousand" and t .d ... I did not believe it, but curiosity took its toll and sent $ 5 for the test. Checking the next day, I saw that no money was returned to me. I thought that this was all as it should be, and so I did the right thing, that I sent just such a small amount.
However, after about 3-4 days I checked my wallet and found a $ 15 transfer! I was surprised. I even stopped thinking about the fact that the money will return. Then he sent another five, 3 days, and again the same thing. Then he sent 8 dollars, after 3 days I received 24. Osmelev finally, sent everything I had, about 150 WMZ. What happened next, I think you already understood. Nobody sent me any 450 WMZ, and my 150 also disappeared forever.
It’s clear how they work. At first, no one will send a lot, so they give money away so that people become bolder. Having lost $ 30 at first, they got $ 150 afterwards. Climbing in search engines, I found many similar articles, oddly enough, the wallets in them very often repeated. In general, I mean that if you be careful and send a small amount of $ 4, you can always get three times as much. They have a special program that looks at who made how many transfers and how much to determine when to stop. They never take money transfers up to $ 16. Only if you send it more than 4 times in a row from one wallet. That is, by sending 15 WMZ, you will in any case receive 45 WMZ, because the amount is small, and they will wait until you send more. But then the amount is less than 5 WMZ (even 4.99) the program swallows without returning. If you carefully send them small amounts from different wallets, then you can deceive them. They no longer look at translations themselves, a special program does it for them, which simplifies the likelihood of fraud. How to trick scammers and earn up to $ 50 (WMZ)? You need to open somewhere 5 wallets, and constantly send, and always be in the black. I now earn about 500 WMZ per month on this (you can do more). These are not millions, but this is a more or less stable income. There are tens (or maybe hundreds) of thousands of money on these wallets, and it annoys me how they throw people, so I have to ruin them. Anyway, sooner or later they will see that they are going to minus and change their system. Personally, I send four transfers every week to ZXXXXXXXXXXXXXX, for the amount of 19 WMZ and about ten for 3 WMZ to these wallets (i.e. if at the first stage you have absolutely no money, you can transfer the amount of $ 3 until you sway, and how to get the amount of $ 19, you need to work bigger. After the bid is not worth raising, because they can throw), and always get a triple amount back. After a month, I change my WMZ wallets and do the same. After surfing the Internet for some time, I found some more similar offers and found that WMZ wallets are repeated in them. After several tests, I made a list of these wallets returning to you. And yet, just recently I found a wallet in rubles: at least 62 WMR can be sent, at most 910 WMR. If more or less - do not return. In the note on WMR I did not indicate anything, the money was returned within two days.

For those who do not know what WebMoney is all the information on

Another variant of fraud is when the victim is offered a program-generator of credit card numbers, systems for covert write-off of money from other people's accounts / wallets, etc. Often, such programs are offered for money, but it is reported that 1-3 accounts can be hacked for free to get an idea of ​​how the program works. The key point is that for such programs to work, you must enter your card / wallet number and password. When attempts are made to such a “hack”, the entered data is transmitted to attackers, which allows them to get money from an account or an electronic wallet of a lover of easy money.

The scheme in which fraudsters offer a card code generator program for paying for cellular services or connecting to the Internet is similar to the previous one, but it is proposed to enter a code of an unactivated card in the “code generator”, which will serve as a kind of model for “reproduction”. As in the case of credit cards, the entered data is transferred to the scammers, and the program simulates a turbulent calculation process. While the victim is waiting for the result, fraudsters with the help of the received data already pay their bills using the “model” user card.

Leaky Casinos

Another type of fraud is as follows: the user receives an email with the text approximately the following content: “After long hours of the game, a hole in the script was discovered, which makes it possible to win in an online casino. We are simply surprised how the admins did not notice this! .. ”The following describes in detail the“ winning ”betting strategy and provides a link to the casino website. Of course, it is not the love of humanity that drives the authors of such messages, and in fact there is no “hole in the script”. The fact is that a spammer receives a certain percentage in case of a very likely loss for a casino visitor who comes to the site through his affiliate link.

In other versions of letters suggesting exploitation of a vulnerability discovered in a casino, cybercriminals suggest downloading (and sometimes buying) and installing a certain program that supposedly allows exploiting the vulnerability. In fact, such a program turns out to be spyware.

Tempting quick money offers

Such letters are characterized by the following reasons: “This letter is NOT spam. This is a really good offer that will be difficult to refuse. This message is sent to you only once, and if you ignore it, then you will regret all your life about the missed opportunity ... ". As a rule, the text of the letter further refers to the financial pyramid: the user is invited to pay the author of the letter (curator) a certain amount, and then forward this letter further, receiving the same amount from each of the recipients (to become their curator), plus some part of the profit their "wards" of a lower level. Such a scheme promises fabulous incomes to each of the participants, but in reality, people who have pecked at the bait of swindlers will forever part with their money.

The creators of fake jobs came up with a slightly trickier way. Typically, in such letters, spammers on behalf of employers promise future employees high incomes and claim that nothing special needs to be done to receive them. After establishing contact with a potential victim, fraudsters are often not even interested in confirming the qualifications of a future employee, but they ask him to send a certain amount of money for detailed information or for postal expenses, and they urge to hurry up, because someone else may take a vacant place.

Sometimes fraudsters carry out targeted attacks, sending out “profitable offers” to the addresses of users who posted their data on job search sites. Applicants are invited to participate in a real international project related to the extraction of gold or diamonds, the manufacture of medical equipment, vaccines, chemicals; with investments, construction and / or conclusion of service contracts. As a rule, this business is related to the field of employment of the applicant or his business contacts and requires professionalism and experience. But then the stage of payment of “administrative expenses” invariably sets in, and the victim’s money settles in the pocket of the scammers.

Subject: Prospective Employee

Attn: Prospective Employee,

Spiralnergy Exploration, UK is an oil and gas exploration and production company based in United Kingdom.

The Company's producing properties and Exploration activities are focused on the UK Central North Sea.

The goal of Spiralnergy Exploration in the near term is to achieve oil production from its interests in the North Sea while carrying out an active exploration / development program on both its own properties and in various joint venture opportunities currently being considered by the Company.

Spiralnergy Exploration, UK hereby inform that, you have been shortlisted as one of the personnel / expatriate for our upcoming project schedule to commence March, 2008.

The project involves the construction of a new LPG (Liquefied Petroleum Gas) Plant and Oil Wells at UK Central North Sea, UK.

You are hereby require to send your detailed resume and application via fax or email attachment to us in not later than 5 (five) days of receiving this email.

All resumes / application should be in MS Word format.

Thanks for your interest.

William peters
{Address}, UK

This email and any attachments to it contain information that is confidential and may be privileged. It is for the exclusive use of the intended recipient (s). If you are not the intended recipient (s) please note that any form of distribution, copying or use of this communication or the information contained in it is strictly prohibited and may be unlawful. If you have received this email in error, please return it to the sender (Spiralnergy Exploration) and delete the email from your records.


To draw money, spammers resort not only to the carrot, but also to the whip, namely to threats. Most often, these threats are completely “innocent” in nature: we will stop sending spam only if you pay. But there are also far less harmless ones, for example, letters on behalf of an assassin demanding a ransom from the addressee in exchange for life.

Subject: BE WARN !!!

I am very sorry for you Xxxxxx, is a pity that this is how your life is going to end as soon as you don't comply. As you can see there is no need of introducing myself to you because I don’t have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that.
Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he wanted you dead and he provided us with your name, picture and other necessary information's we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent.
I called my client back and ask him of your email address which I didn't tell him what I wanted to do with it and he gave it to me and I am using it to contact you now. As I am writing to you now my men are monitoring you and they are telling me everything about you.
Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get back to me now if you are ready to pay some fees to spare your life, $ 4,000 is all you need to spend You will first of all pay $ 2,000 then I will send a tape to you which i recorded every discusion in made with the person who wanted you dead and as soon as you get the tape, you will pay the remaining $ 2,000. If you are not ready for my help, then I will carry on with my job straight-up.

SMS to short numbers

In parallel with the use of fraudulent schemes characteristic of the western segment of the Internet, Runet scammers are inventing new ways to lure money. In particular, they rent short numbers from mobile operators and send spam, the task of which is to provoke the sending of SMS messages to the rented number. The fraud scheme is based on the fact that when sending an SMS to a short number, a certain amount of money is automatically withdrawn from the sender's account, part of which the tenant of the number receives. To achieve their goals, scammers use various tricks: from offers of free Internet access and promises of winning to threats to block the mailbox if the user does not send SMS.

In one of these mailings, recipients were even asked to unsubscribe from spam. The spammer claimed that he wanted to "be a law-abiding citizen," and, referring to the Law "On Advertising" that entered into force on July 1, 2007, he suggested that those wishing to exclude their address from spamming databases by sending a free SMS message. The spammer promised that after sending the SMS, the user will receive a link to a web page where allegedly spamming address databases are published, and will be able to delete his email from them. Needless to say, non-compliance with the law was the main goal of the author of the letters!

In more complex combinations, a letter can only contain a link to a website specially created by spammers. On the site, the user (already involved, for example, in the process of obtaining “winnings”) is invited to send an SMS message to a short number. Such lengthening and complication of the scheme, leading to SMS sending, which is desirable for spammers, is intended to lull the attention of even the most vigilant users.


According to the classification of Kaspersky Lab, fraudulent spam emails belong to the subject of “Computer fraud”, which in 2007 accounted for about 7% of all spam. In the first quarter of 2008, this indicator more than halved and amounted to 2.5%.

Although the proportion of fraudulent emails in spam has decreased, observations show that spam fraud is becoming more dangerous: attackers hone their skills and more often carry out targeted attacks. And if in order not to fall for the bait of "well-wishers" who offer easy and quick ways to enrich themselves, users of e-mails need just the usual prudence, then more sophisticated fraud options are much more difficult to recognize. As for phishing, the fight against this kind of fraud can not do without software protection.

We can advise users not to trust the good intentions of spammers and use software that provides reliable protection against spam, phishing and malware. Despite the apparent triviality of these recommendations, their implementation will allow you to keep safe not only data on computers, but also money.