Why would a spammer try to get a (normal) image of mine?

Question

Yesterday I found a spam mail in my inbox. I inspected it in order to find out why DSpam and SpamAssasin failed. You can find the raw German mail here, here's a translation:

Good Morning. We got to know each other on the website of acquaintances. I want to continue communicating with you, that's why I sent you my picture. I live in RU, the distance is no problem for me. We can communicate us. How old are you? Write me please and send me your photo. I'll be waiting.

The text has poor grammar and lacks any German umlauts.

What actually made me wonder was the purpose of the mail. Usually a spammer wants you to click a link or something, probably to infect one's PC or verify an active mail at least.

Why would a spammer want to know my age and a picture of mine?

"The text has poor grammar and lacks any German umlauts.": [That is a deliberate tactic](http://security.stackexchange.com/a/96154/94069). — BCdotWEB, Dec 09 '15 at 15:01
@Mawg The image is encoded in the raw data, see pastebin link ;) — Sebb, Dec 09 '15 at 15:58
There's the classic "online dating scam", of course, in which someone actually attempts to gain another's trust via direct communication, then solicits a gift of money or a "loan" which will never be repaid. This sounds more generic, though - the dating scam is generally a more individual communication to a chosen target, I think. — recognizer, Dec 09 '15 at 16:12
Could it be something as mundane as a malware/virus in the supposed photo? The MIME is `application/octet-stream` which suggests something slightly sinister... — Boris the Spider, Dec 09 '15 at 17:04
@BorisTheSpider My webmail client was able to show it as inline image. The file extensions was jpg, too, so I didn't further analyze the image. May be worth investigating, though. I intentionally posted the raw mail/image to allow analyzing it. — Sebb, Dec 09 '15 at 17:40
They're likely trying to create fake-ish profiles somewhere and need real people's images to use so that it's not so totally obvious. — SnakeDoc, Dec 09 '15 at 22:24
The image, if taken with a smartphone, might also contain metadata about your location, which might be useful to him — mowwwalker, Dec 09 '15 at 22:34
Could easily be the first step in a social engineering op. Many others will think its harmless and respond. Now the scammers step it up. Maybe photoshop blackmail? Try grabbing a random pic from google and respond.. see what happens. — BAR, Dec 10 '15 at 00:26
Identity theft maybe? As it asks for age too, probably for more of these scams. — ave, Dec 10 '15 at 22:27
For anyone that doesn't want to go through the hassle of decoding the base64 on their own, here's the image: https://www.dropbox.com/s/j2x1v2wkq3xnuj5/scam_pic.jpg?dl=0 If you plan on looking at the image metadata you must download the image as you would any other file, as the preview of the image has had the metadata stripped from it. — DaveTheMinion, Dec 13 '15 at 06:11

score 97 · Accepted Answer · edited Feb 05 '16 at 18:03

97

There was a psychology experiment where two groups of homeowners went door-to-door and asked, ironically, for people to consent to display a large and ugly sign in their yard that said some form of, "Keep America beautiful."

What distinguished how the two experimental groups were treated was that one group was asked beforehand to agree to display an index card in their front window with the same theme. Almost everybody agreed to display the index card.

Agreeing to display the index card had a notable effect. People who were asked up front to display the sign in their yard usually refused (about 30% of them agreed). People who had displayed the index card usually agreed (about 70% of them agreed).

The point made in reference to this experiment has been called the "foot in the door effect." Agree to something little, and you are much more likely to agree to much more.

Add in this case that if someone is trusting, and perhaps like many people online a little lonely, sending a picture may not seem too much to ask. And you have a foot in the door opening up to problems much worse than mishandling of the German language.

edited Feb 05 '16 at 18:03

Deer Hunter

5,297
5
33
50

answered Dec 09 '15 at 19:22

Christos Hayward

1,210
8
10

27

This is very ineresting. Do you have a reference to this experiment? – leancz Dec 10 '15 at 09:41
7

This is actually a well-known piece of psychology. Start from the reference material on [Wikipedia](https://en.wikipedia.org/wiki/Foot-in-the-door_technique). This sign story is also listed there, but lacks a citation, but there are others with citations you can look at. There's been a lot of research done on this. – phyrfox Dec 11 '15 at 03:41
@leancz You may want to read [this book](http://www.amazon.fr/influence-Psychology-Robert-PhD-Cialdini/dp/006124189X) also which explains this principle (as well as others). This book was a life-changer for me. – ereOn Dec 12 '15 at 13:58
1

The foot-in-the-door method and its counterpart, the door-in-the-face method, are both known negotiating tactics and are the kind of thing that might be taught to salespeople. The door-in-the-face tactic is where the first request is for something outrageously large or too much, the target will refuse, then the next request will be for only a bit less. The target, having refused the first request, might feel as if it would be unfair to refuse a seemingly more reasonable request. The initial request also set a grounded expectation for what kind of range might be seen as reasonable. – thomasrutter Dec 13 '15 at 12:06
The purpose of both is to try to get someone to agree to a less favorable deal than they would have agreed to had you lead with that deal as your first offer. – thomasrutter Dec 13 '15 at 12:09
Reference to the experiment in this answer is Freedman and Fraser 1966 "Compliance without pressure". Link: http://summitevergreen.com/wp-content/uploads/2015/06/compliance_without_pressure_the_foot_in_the_door_technique.pdf – leancz Dec 28 '15 at 11:59

score 59 · Answer 2 · edited Dec 11 '15 at 18:41

59

What I miss in the other answers is that an image may contain extremely useful information about you. A jpg contains blocks like the EXIF metadata (here in IrfanView):

and even more interesting, the IPTC or XMP metadata:

giving the spammer possibly:
- camera type (how expensive and sophisticated)
- your full name
- under contact possibly your full address !
- your location, sometimes even the GPS coordinates
- the time the image was taken.

You can remove the header information with jpegtran or other image optimizers. I do not know why camera producers do this (or I suspect they exactly know why they do this and do not care or actively try to get money for the information), but with their programs you should install for accessing the camera they insert loads of valuable information about you.

ADDITION: @Erronoeus pointed out in the comment (in case it gets deleted) that images are often taken and sent by a smartphone. This allows attackers to identify the running OS (possibly finding out if the device is vulnerable) and gives the IP address, allowing e.g. to pinpoint the current location and getting other information. In case of the example we know for example the person's name and that he has married on July 20th, 2007. This gives possible entry points for security access codes (Keycode: 2007 Safe code: 20-07-20 Telephone question for bank account: When did I marry ?).

edited Dec 11 '15 at 18:41

Seldom 'Where's Monica' Needy

117
4

answered Dec 10 '15 at 10:20

Thorsten S.

739
4
7

7

Don't forget that most people will be using their phone to take a picture, and probably send the email. Using the EXIF data could tell you if you use an Android smartphone vulnerable to Stagefright. This in combination with your IP could be quite useful. – Erroneous Dec 10 '15 at 18:19
8

The question remains: Why didn't Kai get married at the magical date 13 days earlier just like gazillions of other couples? – Hagen von Eitzen Dec 10 '15 at 20:59
16

@HagenvonEitzen Kai has perhaps a preference for duplicate repetitions ("2007 2007") instead of triple ones (07 07 07). – Thorsten S. Dec 11 '15 at 00:57
The reason camera producers attach all this header information is supposed to be to ease organization and tagging of photos (mostly for professionals). What I don't get, however, is why it's enabled by default. It seems like nothing more than a security risk for most users. It reminds me of how Facebook used to post your location by default. They didn't remove that until it blew up. I'm not aware of any equivalent happening to cameras (and camera software is slow to change). – Kat Dec 18 '15 at 16:28
I think this is a better answer than the currently-accepted answer. I am not discounting the analogy posted by JohnathanHayward, but this is an incredible example of how powerful metadata can be. – Mark Buffalo Feb 05 '16 at 18:21
Plus, with a photo, one might do a reverse-image search on Google and get the social networks info of the targeted person. – Xenos Jun 29 '18 at 11:53
Do mobile devices really include the IP address in EXIF? That seems rather unlikely... EXIF is meant to be useful to photographers (and it usually is), so including the IP address just seems silly since it is irrelevant to the photo itself as opposed to, say, name of the photographer, location, date, camera model, aperture, resolution, ISO, flash settings, color settings, etc. – forest Jun 30 '18 at 06:54

score 31 · Answer 3 · edited Dec 11 '15 at 19:01

31

There are so many potential things that could be happening here. The attacker may try phishing by having you click a malicious link which containing malware such as keyloggers or similar. The attacker could also try social engineering to gather all information he/she can about you before attempting to get into your account. Keep in mind most e-mail servers will include the originating IP when sending e-mail so they could get your IP and attempt to hack into your computer. The spammer may be just gathering active e-mail to send spam later down the line.

edited Dec 11 '15 at 19:01

Seldom 'Where's Monica' Needy

117
4

answered Dec 09 '15 at 12:11

Paul

1,552
11
11

1

The fascinating thing about this mail was that there was no link (thats why I was curious in the first place). I'm pretty sure that the client IP isn't in my mails, too. This could be the case for outlook and the likes, though. The information gathering for SE is a good idea, however. – Sebb Dec 09 '15 at 13:45
If you reply, the spammer knows it's an active address. They can therefore be certain that you will receive any spam sent, and thus your information could be of much higher value. – AStopher Dec 11 '15 at 23:41
Has stagefright been used for anything besides denial of service? I was under the impression that ASLR made profitable attacks impractical. – Buge Dec 12 '15 at 18:28

nsn · Answer 4 · 2018-06-29T11:16:58.303

He may not be trying to get an image, but your confidence. That is why he/she sent his/her (most likely false) picture. Its social engineering at its best.

In the future he/she may ask you to click something or maybe will try to impersonate with the information that he/she got along the way.

For now, the main goal is to get your attention.

As society, in general, gets aware of this schemes, they tend to evolve rather than disappear. At least while they are profitable enough. Before, one step on mail communication would be enough:

get someone to do something (eg.: check this cats video, download this relaxing fish tank screen saver,etc)
ask information directly (eg.: the King of Atlantis needs your help to get his money, you can get a nice reward. Please provide name, age, etc).

Now things start to get complex and you may need to get someone attention and confidence first.

score 20 · Answer 5 · answered Dec 10 '15 at 11:16

I just want to add sexting to the list.

They gain your confidence, you start exchanging pictures, innocent at first but getting racier ("she" will do the same, of course), at some point maybe even very compromising videos as they record you on some future Skype sessions - and boom, you're being extorted with the threat that all of this will be shared with your friends on facebook unless you pay. Needless to say, payment usually doesn't save you from more extortion.

More likely, this is just a Russian brides scam. "She" (and it indeed could be a she, though probably hired by someone) will keep writing you if you reply, she will be kind and patient, asking a lot - well, she will be pleasant. When she has your confidence or, worse, you're already half in love, she will tell you about a very difficult situation she's in and only money can solve. It's likely she will not even have to ask you for it, you will offer it to her.

I think the last paragraph is more likely as you suggest. I am sure I have read more than one article describing this scam, which I think is older than email. The first email here is likely 100% spam, but promising replies will be followed up by a real person, semi-scripted, waiting for a good point at which to inserts one of several scams (a common one being having costs payed in travelling to meet their new "love", maybe followed up with with the difficult situation) — Neil Slater, Dec 13 '15 at 08:52

score 12 · Answer 6 · answered Dec 09 '15 at 14:54

12

This sounds like someone wanting to create real-looking "fake" profiles on social media like facebook, and searches for easy-to-digest input.

This is a real industry, as for example this report from theweek shows.

answered Dec 09 '15 at 14:54

Marcel

3,494
1
18
35

8

Why would they bother sending email asking of a photo? Why not just rip some off from the web? – Mawg says reinstate Monica Dec 09 '15 at 14:57
@Mawg Convenience - and they have a matching age value. – Marcel Dec 09 '15 at 15:04
2

Yes. Pictures from dating sites aren't indexed by Google, so they could easily steal photos from there. – desbest Dec 09 '15 at 15:08

Stef Heylen · Answer 7 · 2015-12-09T15:05:12.163

As mentioned by Paul already there are many potentials and it's impossible to determine the real intent of this phishing attempt without reacting to it.

If the attacker attached his picture (as stated) directly to the email, it could be maliciously crafted and infect your PC. Users are generally more aware of infections through links than through images...

My best guess about the fact that he asks about your age and a picture is that he is targeting young naive people, looking for some attention. They are generally more inclined to advance on such questions than adults. Once they do, the spammer:

knows it's an active mail address, and
has more information about the victim allowing him to optimize his social engineering attack, for whatever purpose...

score 5 · Answer 8 · answered Dec 10 '15 at 19:14

There are 2 angles. First one is, what can they actually do with your image:

Some people might indeed be stupid enough to respond with a dick pic, preferably one where their face is visible as well. Figure out their facebook account and ask them if they'd like the picture sent to their friends list, or if they'd prefer to pay. Of course in reality they'll first try to get those people to wank off in front of a webcam, which is worth even more extortion money.
Normal people may just send a normal picture. A picture and a name is much better than just a name if you want to find out who exactly you're dealing with online. You can find out age, occupation, and income. You can also find out about hobbies and other activities that can be used to flirt with the target.
People who just answer to mess with the scammer can use a stock picture. Reverse image search and these people are easily filtered out, saving the scammer lots of time.

The second angle is the psychological effects:

People who respond with their picture are more likely to be gullible. This identifies easy targets.
By asking for something relatively harmless they can start a pattern of trust, where successively ever more information is transmitted. This can end in a picture of the credit card, a dick pic, or both.

score 4 · Answer 9 · answered Dec 10 '15 at 23:16

It's not uncommon at all a con attempt to try to get you to take innocuous action first, getting a foot in the door with you, then in later communication get you to actually take whatever action it is that is their primary goal.

Why? Very simple...look at what you're doing right now...questioning whether it really is a con attempt because what they are asking for seems so innocent! That makes you more likely to respond than if they had made their play right from the start. And once you've exchanged a message or two you're far more likely to end up falling for their main play.

score 4 · Answer 10 · answered Dec 12 '15 at 00:09

This is a russian bride scam

They are flirting with you, and she'll immediately fall in love with you! (no matter that you don't even have the profile she saw!) and, at one point, you will be asked to give her money so she can visit you (sometimes there's another financial difficulty, like helping her pay some hospital invoices for her suddenly-sick mother). There are even cases where you visit her (see? she's not asking me money!) and are then tricked once you are there.

score 3 · Answer 11 · answered Dec 11 '15 at 14:31

3

Scammers can use your image to sell products by photoshopping you into holding the object or having the object around you. Those silly adds like "people right now are winning iphones!" etc, we suspect they were stolen images, not actual actors.

answered Dec 11 '15 at 14:31

anon

31
1

Why would a spammer try to get a (normal) image of mine?

11 Answers11