the exclamake! blog

I suppose there’s two ways for a spammer to evolve their craft.  1) Create a better piece of malware (package) 2) Create a better invitation.

Although the packages have progressively been getting better, I’ve been of the opinion that the invitations have not improved at the same pace.

However, I did receive an interesting semi-targeted spam today that made me curious.  Here’s the text:

——————————————————————————–

Mr Trenton Zakary , recommended us your company Exclamake!. Below you will find a proforma invoice with the full details of our first order. Please sign and send back to us by fax or email: proforma-invoice

Thank you in advance, and contact us as soon as you can, with a full offer. Also let us know if the prices you published here at http://www.apicella.org/ are right or not.

——————————————————————————–

Manager Kobe Derick .
Hunter & Soons LLC, California
Phone: 388-638-6978
Fax: 942-552-8828

Note that it’s well written, provides some information that it’s a local company (California), and has our complete company name with the exclamation point, the linked-to apicella.org appears legit, and no spelling errors!

Now where it lacks some credibility: area codes for Phone and Fax don’t match, both area codes don’t exist, header says the message is from Branson & Soons LLC, footer says the message is from Hunter & Soons LLC, reply email is noreply@superpages.com.

Clicking on the proforma-invoice link takes you to a webpage with a thumbnail of a .scr file (with who knows what kind of package).  The html file itself is exploiting one of the more recent XML4 vulnerabilities.  Microsoft identifies it as HTML/Xmlreq.A  ISC has info here. My guess is that my email address (company inbox)  was harvested from superpages.com and this spam was generated from a script to insert the state.

Be careful!