This page has been robot translated, sorry for typos if any. Original content here.

Spam fraud (letters of joy)

The word “spam” often means only advertising letters, but this is not quite true: some types of spam are sent for another purpose. Such “non-advertising” spam, in particular, includes one of its dangerous varieties - fraudulent emails.

Spam technologies allow you to organize a mass mailing of fake messages, substitute fake sender addresses and use infected computers of unsuspecting users to carry out mailings. Not surprisingly, this attracts fraudsters and cybercriminals of various calibers: the specifics of spam creates conditions for deceiving users and for hiding traces of criminal activity.

The fact that the initiators of the newsletters are not easy to find due to the anonymity of the letters sent, and therefore cybercriminals can count on impunity, contributes to the criminalization of spam. Spammers' services are actively used by sellers of counterfeit or fake products, criminal service providers and virus writers.

This article focuses on fraudulent spam emails sent to lure money from recipients or gain access to confidential data with which users can steal money.


Phishing is the most dangerous spam fraud option.

With the help of phishing mailings (phishing from fishing), spammers try to get personal user data: logins, passwords (usually to online payment systems), credit card numbers and pin codes - in order to use them for profit . The most common targets of phishing attacks are users of Internet banking and payment systems.

Phishing letters imitate messages from reputable organizations (banks, financial companies, payment systems). As a rule, such letters contain a link to a fake page and, under one pretext or another, urge the recipient to enter his personal data, as a result of which they end up in the hands of fraudsters. In order for the victim not to guess about the deception, this page is framed in the same way as the website of the organization on whose behalf the message was sent (the sender’s address is also forged).

In some cases, after entering and sending data, the user's browser was redirected to this site, as a result of which the chances of the victim to suspect that something was wrong were reduced to almost zero.

Sometimes a user does not go to a fake website, but to a page infected by an exploit. Using a software vulnerability, the exploit installs a Trojan program on the user's computer that collects various information (for example, about access codes to the accounts) and sends it to its "owner". In addition, a machine infected in this way can become part of a zombie network and be used to carry out cyber attacks or send spam.

To deceive those who still pay attention not only to the appearance, but also to the addresses of visited sites, phishers mask the used URLs, trying to make them more similar to the original ones. Phishers began by registering on free hosting of domain names that are similar to the domain names of the websites of the attacked organizations, but over time they began to use more and more sophisticated methods for this purpose.

A typical look at this disguise can be seen in the following letter, targeting PayPal customers:

Only a very attentive person, pointing the cursor in the link in the letter, can notice that the link actually leads to the phishing site. The link is very similar to the address of a legitimate site, but the domain to which the user falls is completely different:

In this case, the "wrong" address will be displayed when you hover the cursor over the link in the letter, so that an advanced user is able to recognize a fake before clicking on a link.

There are more primitive options for cheating. The user allegedly on behalf of the administration or technical support service of a service receives messages in which, under various pretexts, it is proposed to urgently send a password from his account to the address indicated in the letter - usually under the threat of closing this account.

In RuNet, this technique is used by phishers mainly to gain access to users' mail accounts. It is worth noting that, controlling the user's mail, fraudsters through the password reminder system can take possession of his registration data on other Internet services.

Another common method of collecting passwords to mail is sending letters in which everyone is invited to take advantage of a “password recovery vulnerability”, using which, allegedly, you can find out the password of another user. In order to gain access to someone else's account, the recipient of the spam message must send to the specific address in a certain format the login of the future victim, as well as his password. Needless to say that the hunter himself becomes the victim of the intruders, taking advantage of the dubious proposal?

However, over time, users realized that serious companies never ask to send passwords in letters, and the effectiveness of such traps began to fall. So now spammers have to more carefully mask fake letters, as a result of which it becomes harder for recipients to distinguish them from legitimate messages.

Usually, western payment systems and banks with developed online banking and a large number of customers using them become targets of phishing attacks. However, with the development of online banking in RuNet, phishers increasingly carry out attacks designed primarily for Russian users.

One of the typical examples is phishing attacks on Alfa-Bank clients. The fraudsters worked according to the classical scheme: the e-mails sent by them imitated letters from the bank administration and contained a link to a fake website where the user was asked to enter his login and password to access the Internet banking system. The appearance of the page was an exact copy of the main page of the Alfa Bank website. In addition, fraudsters prepared unwary users an unpleasant "gift": when clicking on a link to users' computers, malware was downloaded. Attacks on users of WebMoney and Yandex.Money systems were similarly conducted; several times been targeted by Citibank phishers.

Attackers also often try to gain access to users' mail accounts by asking them for logins and passwords on behalf of the administration of Russian mail systems.

Spamming money with spam

In addition to phishing, Internet fraudsters use many other techniques that allow using hackers to lure hapless users into traps and rob them. Most often, spammers try to play on the naivety and greed of their potential victims, which, however, is typical of all scam artists. To achieve their goals, fraudsters use different schemes, and the most common ones will be discussed in more detail.

"Nigerian" letters

This popular fraud scheme was developed and actively used by fraudsters from Nigeria, for which it received its name. However, at present, “Nigerian” frauds are used by scammers all over the world.

When implementing the classic “Nigerian” scheme, spammers send letters on behalf of a representative of a noble family (usually living in some African state) who fell into disfavor at home due to civil war / coup d’état / economic crisis / political persecution. In the classic “Nigerian” letters, the addressee is addressed in broken English with a request to help “save” a large amount of money by transferring it from the account of the disgraced family to another account. For the money transfer service, fraudsters promise a solid reward - usually percentages of the amount transferred. During the “rescue operation” it turns out that the voluntary (albeit selfish) assistant needs to transfer a small amount compared with the promised remuneration for the transfer of / giving a bribe / lawyer’s fees, etc. As a rule, after transferring money, every opportunity to communicate with the “widow of the former dictator” or “the son of the late disgraced minister” disappears. Sometimes the victim is forced to fork out a few more times, under the pretext that another unforeseen complications have arisen.

Sometimes the sender seems to be a high-ranking official who allegedly managed to earn a fairly large fortune with the help of bribes and frauds, but is now under investigation and cannot take money out of the country. To transfer money, he needs to provide access to some bank account. For assistance, the addressee is offered a certain percentage of the total amount. It is clear that having obtained the desired control over the account of a gullible user, fraudsters do not leave a penny on it.

What only dramatic stories are not told in the "Nigerian" letters! You cannot deny their authors their fantasies, and it was not for nothing that in 2005 the “Nigerian” fraudsters were awarded the Antinobel Prize in Literature. The Russian plots were not left without their attention: in the same 2005, typical “Nigerian” messages in English were sent on behalf of relatives and people from the close circle of disgraced oligarch Mikhail Khodorkovsky. This ended the Russian specifics - otherwise there were no differences from the classical "Nigerian" fraud scheme.

Dear friend,

I am Lagutin Yuriy and I represent Mr. Mikhail Khordokovsky the former CEO of Yukos Oil Company in Russia. I would like to pay for a total of $ 450 million. I will give you the details of the Bank Menatep. This is a legitimate transaction. You will be paid 4% for your "Management Fees".

If you are interested, I will provide you with your information. Please keep this confidential; We can't afford any more political problems. Finally, please note. Please write back promptly.

Write me back. I look forward to it.


Lagutin yuriy

There is also a romantic version of this scheme of spam-fraud letters from "Nigerian" brides . Touching messages are sent on behalf of girls living in distant exotic countries. A photo of a dark-skinned beauty is attached. As a rule, fraudsters conduct targeted attacks - such letters are most often received by users who register on dating sites. If a potential victim is included in the correspondence, they tell a story in the spirit of soap operas: “They killed the relatives, they don’t let me out of the country, and I’m actually a rich heiress ...” In the third letter, the girl already swears eternal love and asks to take her out of the country along with her millions. All that the savior hero needs to do is to help transfer millions of orphans from the country, and for a solid reward. Of course, the assistant is required upfront costs, which amount to several thousand, and sometimes tens of thousands of dollars. For greater persuasiveness, an imaginary pastor and a lawyer are connected to the case. At the final stage of the scam, false documents are used.

Fake lottery notifications

This type of fraudulent spam is close to Nigerian letters . Fake notifications about winning the lottery , allegedly held among random e-mail addresses / phone numbers, and offers to receive "free" gifts as winnings are sent to users. In order to be persuasive, such a letter may contain a photo of the prize and various “attributes of authenticity” of the lottery - the ticket number, registration / license certificate and other false information. As in the previous case, in order to receive the winnings, the user is offered to make a payment on a certain amount on the accounts indicated by the scammers under various pretexts.

There were Russian versions of such letters, the text of which was clearly translated from the original English using an automatic translator.

Recipients of such notifications should first of all remember that participation in any lottery is impossible without the consent of the user. If you have never given such consent (and, most likely, do not know anything about the lottery in which you allegedly won), then you are dealing with a typical message from scammers who are trying to lure money from the recipient, and not at all make him happy.

"Errors" in payment systems, magic wallets, code generators

In spam letters of this type, the user is informed that a vulnerability has been discovered in a certain payment system that allows “to make a profit”. Next comes a description of the nature of the vulnerability and offers a recipe for earnings, which usually consists in sending a certain amount of money to a “magic” wallet. Scammers promise that some time after the transfer, the money will be returned to the user in doubled (tripled, etc.) quantities. Of course, such a "magic" wallet belongs to fraudsters, and the money transferred to it for the user will be irretrievably lost. And the victim will not be able to complain (submit a statement to the police: “I tried to hack the payment system and as a result I lost money”).

Subject: Interesting


Hello! I want to tell you how I was deceived at 150 WMZ, but I won back. I found somewhere in the network an article of approximately the following content: "There is a magic WMZ purse in the WebMoney system, and everything you send to it will be returned to you in tripled size !!! Any amount! Send a thousand - get three thousand" and t .d ... I did not believe it, but curiosity took its toll and sent $ 5 for the test. Checking the next day, I saw that I had not returned any money. I thought that this was the way it should be, and therefore I did the right thing to send such a small amount of everything.
However, somewhere in 3-4 days I checked my wallet and found a transfer for 15 dollars! I was surprised. I even stopped thinking about the money coming back. Then he sent another five, three days, and again the same. Then I sent 8 dollars, in 3 days I received 24. Immersed finally, I sent everything that I had, about 150 WMZ. What happened next, I think you already understood. Nobody sent me any 450 WMZ, and my 150 also disappeared forever.
It is clear how they work. At first, no one will send much, so they give money to make people bold. Having lost 30 dollars first, they received 150 dollars later. Climbing in the search engines, I found many similar articles, oddly enough, the wallets in them very often repeated. In general, it’s me that if you are careful and send a small amount of $ 4, you can always get three times more. They have a special program that looks at who made how many translations and how much to determine when to stop. Transfers up to $ 16 they never take. Only if you send it more than 4 times in a row from one wallet. That is, sending 15 WMZ, in any case, you will receive 45 WMZ, because The amount is small, and they will wait for you to send more. But the amount is less than 5 WMZ (even 4.99), the program swallows, without returning. If you carefully send them small amounts from different wallets, you can deceive them. They no longer look at the translations themselves; a special program does this for them, which makes it easier for them to cheat. How to deceive scammers and earn up to $ 50 (WMZ)? You need to open about 5 wallets, and constantly send, and always be in the black. I now earn about 500 WMZ per month (you can do more). This is not millions, but it is more or less stable income. There are tens (and maybe hundreds) of thousands of money on these wallets, and it annoys me a lot how they throw people, so you have to ruin them. All the same, sooner or later they will see that they go to a minus and change their system. Personally, I send four transfers to ZXXXXXXXXXXXXX every week, for an amount of 19 WMZ and about ten for 3 WMZ to these wallets (i.e. if you have no money at the first stage, you can transfer $ 3 until you swing, and how to get the amount of $ 19, you need to work bigger. After the bet you should not raise, because they can throw), and always get tripled amount back. A month later, I change my WMZ wallets and do the same. Having climbed the Internet for some time, I found some more similar offers and found that WMZ wallets in them are repeated. After several tests, I compiled a list of these wallets that give you a profit. And yet, quite recently I found a wallet in rubles: the minimum is 62 WMR, the maximum is 910 WMR. If more or less - do not return. I did not indicate anything in the note on WMR, the money was returned within two days.

For those who do not know what WebMoney is all the information on

Another type of fraud is when the victim is offered a program that generates credit card numbers, systems for covertly debiting money from other people's accounts / wallets, etc. Often, such programs are offered for money, but it is reported that 1-3 accounts can be hacked for free to get an idea of ​​how the program works. The key point is that for the operation of such programs, you must enter your card / wallet number and password. When attempting such a “hack”, the entered data is transferred to the intruders, which allows them to get money from an account or an electronic wallet for an easy moneymaker.

The scheme in which fraudsters offer a program that generates card codes for paying for cellular services or connecting to the Internet is similar to the previous one, but it is proposed to enter the code of an unactivated card that serves as a model for reproduction into the code generator. As in the case of credit cards, the entered data are transferred to fraudsters, and the program simulates the rapid process of computing. While the victim is waiting for the result, the fraudsters are already using their data to pay their bills using a “model” user card.

"Leaky Casino"

Another type of fraud is as follows: the user receives a letter with a text similar to the following: “After long hours of play, a hole was found in the script, allowing you to win in an online casino guaranteed. We just wonder how the admins didn’t notice this! .. ”The following describes in detail the“ winning ”betting strategy and provides a link to the casino site. Of course, it is not the love of humanity that is driven by the authors of such messages, and no “hole in the script” actually exists. The fact is that a spammer gets a certain percentage in the case of a very likely loss of a casino visitor who comes to the site through his affiliate link.

In other variants of letters with a proposal for exploitation of a vulnerability found in a casino, attackers propose to download (and sometimes buy) and install a program that supposedly allows exploiting the vulnerability. In fact, such a program turns out to be malicious spyware.

Tempting quick money offers

Such letters are typical for such letters: “This letter is NOT spam. This is a really good offer that will be difficult to refuse. This message is sent to you only once, and if you ignore it, you will have been sorry for the lost opportunity all your life ... ” As a rule, later in the text of the letter it is said about the financial pyramid: the user is offered to pay the author of the letter (curator) a certain amount, and then send this letter further, having received the same amount from each of the recipients (become their curator) plus some part of the profits from their "wards" of the lower level. Such a scheme promises fabulous incomes to each of the participants, but in reality, people who have taken the bait of scammers will part with their money for good.

A few more cunning way came up with the creators of fake jobs. Usually, in such letters, spammers on behalf of employers promise high incomes to future employees and argue that nothing special needs to be done to receive them. After establishing contact with a potential victim, fraudsters are often not even interested in confirming the qualifications of the future employee, but they ask him to send a certain amount of money for detailed information or for postal expenses, and urge to hurry, as someone else may take the place.

Sometimes fraudsters carry out targeted attacks by sending out “lucrative offers” to the addresses of users who have posted their data on job search sites. Applicants are offered to take part in a real international project related to the extraction of gold or diamonds, the manufacture of medical equipment, vaccines, chemicals; with investment, construction and / or service contracts. As a rule, this business is related to the field of employment of the applicant or his business contacts and requires him to have professionalism and experience. But then invariably comes the stage of paying for “administrative expenses”, and the money of the victim is deposited in the pocket of the scammers.

Subject: Prospective Employee

Attn: Prospective Employee,

Spiralnergy Exploration, United Kingdom.

The Company's producing properties and exploration activities are focused on the UK Central North Sea.

In the United States of America, it is currently being considered by the Company.

Spiralnergy Exploration, UK, hereby, you have to be shortlisted for March 2007.

The project includes the Liquefied Petroleum Gas (LPG) Plant and Oil Wells at the UK Central North Sea, UK.

More than 5 (five) days of the receipt of this email.

All resumes / application should be in MS Word format.

Thanks for your interest.

William Peters
{Address}, UK

This is a confidential and may be privileged. It is for the use of the recipient (s). It is strictly prohibited to use it. If you have received this email in error message, please send it to your sender (Spiralnergy Exploration).


To extract money, spammers resort not only to gingerbread, but also to the whip, namely to threats. Most often, these threats are quite “innocent” in nature: we will stop sending spam only if you pay. But there are less harmless ones, for example, letters on behalf of an assassin demanding a ransom in exchange for life from the addressee.

Subject: BE WARN !!!

I’m very sorry for you. I cann’t have to go for it. that.
It is a question of information's we needed about you. It is a question. It is innocent.
I am using my email address. As I am writing, you are telling me about you.
LIE OR DIE? As someone has paid us to kill you. If you are ready to make it, then you will you will get the tape $ 2,000. If you are not ready for my help, then I will carry it on with my job straight-up.

SMS to short numbers

In parallel with the use of fraudulent schemes characteristic of the western segment of the Internet, the fraudsters of Runet invent new ways to defraud money. In particular, they rent short numbers from mobile operators and send spam, the task of which is to provoke sending SMS-messages to the leased number. The fraud scheme is based on the fact that when sending an SMS to a short number, a certain amount of money is automatically withdrawn from the sender’s account, a part of which is received by the tenant. To achieve their goals, fraudsters use various tricks: from offers of free Internet access and promises of winnings to threats to block a mailbox if the user does not send SMS.

In one of these lists, recipients were even asked to unsubscribe from spam. The spammer claimed that he wanted to "be a law-abiding citizen," and, referring to the Law on Advertising, which came into force on July 1, 2007, suggested that those who wish to exclude their address from the spam database send a free SMS message. The spammer promised that after sending the SMS, the user will receive a link to a web page where the spam database of addresses is allegedly published, and will be able to remove his email from them. Needless to say, non-compliance with the law was the main goal of the letter's author!

In more complex combinations, a letter may contain only a link to a site specially created by spammers. On the site, the user (already involved, for example, in the process of obtaining a "win") is invited to send an SMS message to a short number. Such lengthening and complication of the scheme leading to the SMS sending sent for spammers is intended to lull the attention of even the most vigilant users.


According to the classification of Kaspersky Lab, fraudulent spam emails are related to Computer Fraud, which in 2007 accounted for about 7% of all spam. In the first quarter of 2008, this figure more than doubled to 2.5%.

Although the proportion of fraudulent emails in spam has decreased, observations show that fraud with spam is becoming more dangerous: attackers hone their skills and increasingly conduct targeted attacks. And if, in order not to fall for the bait of "well-wishers" who offer easy and quick ways to enrich themselves, e-mail users have enough ordinary prudence, then it is much more difficult to recognize more sophisticated fraud options. As for phishing, in the fight against this type of fraud can not do without software protection.

We can advise users not to believe the good intentions of spammers and use software that provides reliable protection against spam, phishing and malware. Despite the seemingly triviality of these recommendations, their implementation will allow you to keep safe not only data on computers, but also money.