Help me understand this phishing technique.

I received an IM from my son’s friend yesterday. I was immediately suspicious since I haven’t seen him in a few years. A screenshot of most of our conversation is here.

A couple of questions come to mind:

Why would a phisher need to replace a few letters with special characters? For example, the “b” in website is not a normal b. Some of the lowercase “L’s” have been replaced as well.

The phisher also says that he accidentally typed the address incorrectly and wants me to remove one of the periods from the address. Why does he do this? Why didn’t he just have me click on a working link?

Apparently I can’t think like a hacker. This being GQ, I’ll leave it at that.

Well, typing the link wrong stops basic filtering from flagging it, I’m sure.
I suppose, too, using Russian characters (Cyrillic) should be another hint, and also help prevent any spam filtering or alert software from flagging this.

is this an iPhone where blue means iCloud, i.e. the user has managed to hack into you friend’s account and is legitimately sending from his account? Or is it an Android, and it’s also possible the posts are being faked by a different source? (I.e.VoIP can fake any caller ID, not sure how that works with texting).

Obviously, they want to get you to go to their site, which will either try to sell you stuff, or push a virus out to you - or more likely, both.

I don’t know, but my guess for the L33T spelling is to avoid spam filters (so a spam filter that looks for “free iPad” might not notice “fr33 iPad”)

Could well be the same idea for the link, avoiding spam/scam filters. As well, there are various anti-virus type programs that automatically look at links and mark suspicious ones, which might not pick up on the malformed link.

Finally, and I doubt this is the major reason, it helps make the text seem like it was created by a human (only humans make spelling errors, then notice them).

It’s the Facebook IM app on the iPhone. I’m pretty sure that the phisher hacked into the account and was “legitimately” sending messages.

Which means he was just using the friends list and had no quick way of knowing you had not talked to the guy in years.

Also, if going through Facebook, all the more reason to use spelling and extra dots to ensure the content was not flagged by basic content analyzers. I’m sure facebook does a lot of content analysis to catch this sort of activity… more than text message systems, anyway. Too many messages about free iPads probably alerts a human, as does a URL to a suspicious site.

Right. Here’s my guess. The two elements (double dot and odd characters) work together.

The extra dot may help avoid filters, but more importantly, it serves as an excuse to get you to type the url rather than click it.

The use of odd characters allows generating scores of urls that look alike but don’t match spam filters. These non-matching look-alike urls wouldn’t work if you clicked them.

Facebook certainly filters URLs. I discovered this when I tried to recommend Fluff Busting Purity to a friend, and Facebook flagged the URL as banned, and refused to send my message. The entire text of the scam is probably just pasted in, and risks being noticed by a simple screening process that notices lots of identical messages (as simple as hashing them and keeping stats on the hashes) so something that does 1337 style character substitution might be used to stay under the radar. It isn’t impossible that the entire scam is a bot.