54

After I received dozen of spam mails over the last year with my thrashmail (used for "You must log in once to check out this product.."-Sites, etc.) I noticed they were mostly translated (if they are at all) horribly.

I thought about that after reading the Wikipedia article about the ransomware "Locky" where the Spam Message pattern was shown.

Dear (random name):

Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter.

Hoping the above to your satisfaction, we remain

Sincerely, (random name) (random title)

Refering to my experience, only a few mails were translated well enough to even consider it as my native tongue (German, by the way).

So, I was wondering If non-English users are theoretically better protected from international scam/phishing than native speakers. Of course there are a lot of properly translated versions out there, or they are also based in the same country, but my inbox is dominated by non-German Spammers.

Or would you (as a 'normal' user) trust a [insert random title here] who can't properly speak your native language and therefore sounds like Master Yoda with Dyslexia? Or if it was in English I'd wonder "Why the heck would a [insert radnom country I've never heard of] Lawyer write to me in English?"

I believe these users are a bit safer, as Phishing is mostly about gaining the victim's trust.

I'm interested in whether this thesis is true.

Edit: It's awesome to see how multifarious the Answers and Comments are. Kudos to the Stack InfoSec Community.
psmears
  • 900
  • 7
  • 9
pguetschow
  • 750
  • 5
  • 15
  • 2
    This would make an interesting subject for a study thesis. I personally would agree to some degree, but I feel this advantage is eroding as phising becomes more widespread and better "implemented". – Marcel Oct 18 '16 at 09:07
  • 19
    Regarding the "horribly translated" part, this is most likely intended. See for example: https://www.quora.com/Why-are-email-scams-written-in-broken-English – tmh Oct 18 '16 at 11:48
  • I've had the same email address for 7 years, but I've never got any spam… – wb9688 Oct 18 '16 at 12:10
  • 5
    @wb9688 Then you're lucky. I use my "professional/personal" address also for about 5 years and also didn't encounter (except a few) spam mails. But as I wrote, this is my mail I use for free stuff, trials, etc where the chances are higher your mail finds a way into some chinese spam list for cheap viagra. – pguetschow Oct 18 '16 at 12:12
  • 2
    Enormous amounts of phishing spam targeted at English readers is also horribly translated. Of all the phishing attempts related to Battle.net impersonation (I've gotten a few dozen of them over the last ten years), exactly one was remotely good English. It was actually so noteworthy that I made a screenshot and wrote a thread in my guild forum about the first phishing attempt to actually use good English. (It was a good simulacrum of Blizzard emails. They even copied an official tip not to trust emails soliciting personal information. And people probably still fell for it.) – MichaelS Oct 19 '16 at 02:43
  • Isn't this a bit like asking "are Linux users better protected from viruses"? It doesn't matter whether this is technically true or not: both virus writers and phishers typically go for the largest market, because there are more fish in that barrel. – Federico Poloni Oct 19 '16 at 07:27
  • @FedericoPoloni Jup, but in my PoV this would be kind of a passive protection. I was just curious, how others think about it – pguetschow Oct 19 '16 at 14:21
  • I'm afraid that non-native speakers of any language are more likely to be tricked by badly translated mails. An expat with maybe only a year of shallow experience with the local language may not really notice the bad quality. – JimmyB Oct 20 '16 at 09:13

4 Answers4

76

There is a really, really good paper on this here.

Tl;dr:

  • 95% of spam is in English
  • In f.ex. Germany only 17% of the spam is in German
  • In Scandinavia it's less than 1% in the local language

Conclusion I: Yes, generic phishing is mostly directed to English speaking people. I can only confirm that many German people will not even consider opening a mail with a non-German subject.

Conclusion II: The main factor for the phishers will be to gain proficiency at the target language. Target languages are English and other "first world" languages, but they are differently hard to learn. Since it's much easier to auto-translate and learn basic English than for example Icelandic, phishing will be much less effective on non-English speakers.

But: Spear phising is much more dangerous and will always be done in a local language, so statistics can't take that into account.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • 9
    Yep, Spear phishing is dangerous, indeed but I was more interested in the results of low quality spamming. Thanks for the link :) – pguetschow Oct 18 '16 at 09:20
  • Do you have a citation for the claim that spear phishing will *always* be done in a local language? I would expect it to be done in a language that the purported sender and the recipient have in common, and generally in the language they would normally use to communicate with each other. – user Oct 18 '16 at 12:58
  • Not always, but mostly. Realistically, most of our personal friends are speaking our local language and not English, no matter how much the internet brought people closer. I can just speak for myself but I'm pretty confident to claim that for someone not from an anglophone country, the average amount of English speakers in your narrow circle of friends approximates zero. – AdHominem Oct 18 '16 at 13:24
  • 1
    @TechTreeDev Spear Phishing is just another buzzword. Spam has always been targeted, you can always separate victims by domain and tld. Social media just makes it even easier to automatize targeted spam. – AdHominem Oct 18 '16 at 13:28
  • 5
    Really good "paper?" That implies there's something long to read behind your link, but it appears to just be an image. I think instead of "paper" you mean "breakdown" or "summary" instead. – Seldom 'Where's Monica' Needy Oct 19 '16 at 00:26
  • This has been my experience too. I'm glad English got to be the international language of this century because of things like this! Spear phishing won't work against me either as it's not easy to guess my mother language from my browser headers. Comfy! – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Oct 19 '16 at 04:13
  • I would think that spear phishing could end up being more dangerous in a relatively obsure local language as users would be less suspicious of phishing/spam messages due to receiving fewer of them and/or receiving them in foregin languages. – alex.forencich Oct 19 '16 at 20:01
  • 1
    Of the spam subjects I see in Pobox's summaries, well over 5% are Spanish, Chinese or Japanese. – Anton Sherwood Oct 20 '16 at 19:39
29

In my opinion (this is a subjective question) they are even less protected.

If you read a phishing mail in your own language (or any other language that you understand) from someone that claims to be "your bank manager" (for example) you may understand better what's going on, and you won't click the link.

But if the mail is in English, and you don't understand the language properly, then you may, unconsciously, click the phishing link to the fake bank website. That's due to the well-known fact that English is the international and business language (even if you can't speak English, you know that fact).

That's more or less how Social Engineering works.

Toby Speight
  • 1,214
  • 9
  • 17
KanekiDev
  • 1,039
  • 6
  • 9
  • 19
    there's another aspect supporting your claim. Many of the phishing emails are written in poor English, which is probably the result of, well, google translate. A native English speaker will notice the low-quality wording immediately, and treat the request accordingly. A person with mediocre English, on the other hand, is more likely to miss this sign of scam. – eran Oct 18 '16 at 11:50
  • 10
    On the other hand, if I'm contacted by my (local) bank and they're not speaking Dutch, I'm immediately suspicious... – Shadur Oct 18 '16 at 13:15
  • 10
    @MikeP It depends on the type of spam. Some spam is designed to emulate, other spam is designed to find the most gullible people. When they want gullible people poor grammar is better because these people have already shown they will ignore red flags. – Erik Oct 18 '16 at 23:14
  • 2
    Why would anyone click on this kind of link in an email he doesn't understand? If you receive an email from your local US bank and it's written in Chinese, will you click on the links??? Furthermore, statistically people tend to disregard errors, and receiving important emails in a foreign language won't be any different... – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Oct 19 '16 at 04:17
  • 1
    People clicking in a link on a suspicious email that they do not understand is part of the "Social Engineering" so far used by hackers. I say many times that `Users are oftenly the easiest "security vulnerability" to exploit in a system`. – KanekiDev Oct 19 '16 at 09:04
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/47132/discussion-on-answer-by-kanekidev-are-non-english-speakers-better-protected-from). – Rory Alsop Oct 20 '16 at 17:08
16

I'd say that is true, but only to the extent that it filters out people who don't know the language the email was written in at all (completely unintelligible). The truth of the matter is if it was profitable for them to have properly translated, grammatically correct, spam emails then they would do it. Sending an email is extremely cheap in regards to labor and cost. The expensive part is the next step where they interact with the respondents. To quote a Microsoft Research paper:

Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

Crappy graphics and poor grammar weed out the people who are less likely to end up sending them money. People who respond despite those factors are more likely to end up sending them money.

In my extended family on my wife's side there is one individual who was almost baited into a "Bill Gates wants to give you millions" scam a couple of years ago. Luckily I was able to convince them that it was a scam, but only barely even though it was blatantly obvious to me. This same person lost a fortune to the Bernie Madoff of Peru many years ago. They also got involved in a business deal more recently with a shyster and ended up losing a good amount of money due to the partner's bad faith. They are a wonderful person, and unfortunately exactly the mark a scammer wants. They don't want someone that will be spooked by poor grammar.

Erik
  • 303
  • 2
  • 13
0

Short answer : No.

Long answer : Limited samples does not justify your conclusion.

  1. Phish campaign are never free, phisher need to make sure there is enough target fall into prey to pay their bills.
  2. Regionalised phishing campaign increase success rates. A phisher will make use of online advertiser regionalised tracking features. It is cheaper to piggy back on the online advertiser relayed information than run your own script (that is costly to build and easily blocked by Antivirus software)
  3. Phisher also run their own statistic on the phishing campaign, to tune the layout, wording, etc.

For example : If you go to popular regional website, when you click on the phishing advertising campaign adverts(which can be anything that you deem interested), it will send all the regional information, including all the advertiser tracking information to the phisher. Then the phisher just show you correspondence contents according to the region. The infamous ransomware are indeed using this tactics, e.g. show crafted Italian page when it know you are a Italian user, show a German page to German user.

(update) Checkout this German DHL security notes. Imagine you are one of those user awaiting package and an unclaimed package email appear in your mail box, what will you do? You can view the sample phish email image here

That's why a tracker blocker/ads blocker will mitigate a lots of malware campaign, because it reduce the entropy of tracking information relay to the phisher through online advertiser.

For email phisher, using geo-ip to pin point designated language is not difficult.

First, Phisher can put a web beacon inside the email. (That's why you should open not view unknown email in HTML format). For example, 

<img src=http://phisher.com/youremail@xyz.com/beacon.jpg>

And the phisher web server parsed the url, and immediately know you IP address. What they need to do is just match your IP address Geo-IP with the email address.

Then you can guess what happens next : a email that target the specify region will be send, e.g. send a DHL phish mail to user with Germany GeoIP.

IMPORTANT NOTES: Even getting an external report, you must aware about sampling bias on regional user base. If you read statistic from Symantec, it is mostly USA based. If you get statistic from Avast, then statistic might eccentric in middle Europe and Russia. If you go checkout Avira threat statistic, you will see tons of Germany figures.

mootmoot
  • 2,387
  • 10
  • 16
  • Scam phishing campaigns are almost always "free". They are often conducted using stolen money, stolen computer resources, and low-paid data process people (not technically oriented), in countries with a low cost of living. There might be a small start-up cost before they start stealing money, but after that, it is all working off stolen money. – MikeP Oct 18 '16 at 15:45
  • 5
    @MikeP First, cheap is not free, if the success rate is very low to begin with, that can make a difference. Second, even stolen money or stolen computer resources cost money. If you don't pay someone to get them for you, you have to spend time to constantly acquire new ones, etc. Obviously, scammers do not face the real costs of their campaigns and “bills” might not be the right word but it stands to reason that they have every reason to make sure their campaign is as effective as possible. – Relaxed Oct 18 '16 at 18:00
  • You might be right theoretically, but in practice I never receive spam/phish in my mother language (which is one of the most widely spoken language in the world). On the other hand, if I receive an email in English that I am not expecting, there is a 90% chance I can mark it as spam. – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Oct 19 '16 at 04:23
  • 1
    @a25bedc5-3d09-41b8-82fb-ea6c353d75ae : In statistic, using your own experience as sample is call `sampling bias`. – mootmoot Oct 19 '16 at 08:43
  • @mootmoot Fair enough, but please explain to me who (individual or companies) would send people an email in English when said people don't even speak it? No banks, no government, no national e-commerce website are going to communicate in English, never, ever. As for receiving them in my mother language, maybe I'm the only one to never receive any... – a25bedc5-3d09-41b8-82fb-ea6c353d75ae Oct 19 '16 at 12:02
  • 1
    @a25bedc5-3d09-41b8-82fb-ea6c353d75ae You don't need to repeat your opinion. If you don't know how to google those sample, you can post a question asking people for source regarding your mother language spam/phish. – mootmoot Oct 19 '16 at 13:41