I read somewhere that scammers use bad spelling as a sort of filter: if you're able to recognize these errors it's very likely that you won't fall for the scam anyhow.
I feel the opposite is true - a few original ideas that largely already existed long before the internet just keep repeating in variations.
Re post #3: one might say the disguises change I guess.

The scammers send out mass comms knowing full well that only a tiny fraction of a percentage will get sucked in. But thats typically enough. The non computer literate are the primary target, especially the elderly and not the kind of users who would frequent a site such as this.

I wonder where they got that old googlemail address from. I destroyed that account last year, but I hadn't actually used it for a long time before that. They must have scraped it off some other site, maybe the old Linux Forums where I used to be a member.

It’s spelled phishing...but I agree about the reasoning for the misspelling.

It's a deliberate respelling in the same vein as phreaking/warez/haxx/etc - i.e. more about being "l337" than to disambiguate from aquatic hunting.

The earliest recorded use of the term phishing was in AOL software where both spellings were used. (See https://arxiv.org/abs/1106.4692)

Be aware that there are malware engines that can be embedded in email that "activate" on hover. You do not have to click a link, just run the mouse cursor over the email and it attempts to run and infect your system. You want to do that test in a jail or other restricted environment to limit the exposure.

This is where reading mail in something like Puppy Linux starting from a CD shines. "Try to infect THIS read-only media silly malware pigdog"! ;-)

(Yes, yes I DO miss "python". Very much!)

I didn't know that. That's terrifying! I was taught years ago to hover over email links to see if the text corresponded to the actual address it would take you to.

It is. we had a ransomware attack that triggered that way. I was sysadmin, and I was proud of the user. They realized SOMETHING had triggered and got their machine off network and called me ASAP so the damage was minimal and I had the server and their system restored within hours. (Even if the company had no policy, I would object personally and vehemently to paying criminals.)

It was an email, in Microsoft Outlook, and it was not detected by the AV software in our mail server OR by the different desktop AV software at the workstations.

I am NOT certain it could have fired up from a GMAIL spam folder. I would hope not, but be very careful testing that.

But wouldn't a thing like that normally be written to run on Windows machines? Could you have one that ran on Windows and Linux?

interesting. Could it be some kind of embedded html or js? Trouble with outlook, its generally not plain text mail that users use by default. So clearly some script run mouse over was the vulnerability there.

This entirely depends on the software used to read email.
I don't use Puppy, and I'm still safe from this.

Nothing like a good French Taunt!
Your mother smells of elderberries!

That corporation considered Windows workstations standard, even where the servers were Linux. It was the workstation that was hit, but the encryption ransomware also encrypted some files on the SAMBA share that was mounted form that workstation. I have never seen malware written to run on both Linux and Windows that was not browser based. Not to say it could not be done, but it would require deeper thinking than most criminals put into these things. They are after the money, not a being a "global threat".

The State Agents (N Korea, China, Iran, Russia, possibly the US NSA or CIA) may write intelligence gathering software that runs on more platforms, but you would probably not detect it unless it failed in a way that caused you a problem. There stuff is written mostly to gather data, not to shut you down and make you pay to get your data back. Ransomware writers WANT you to know they have infected you. Intelligence agents want you to never notice the leak. I cannot speak to that except in theory.

That's the point!

I can tell you on my own ransomware attack experience at my job's network, a few years ago. It was a rather small network, a HP server (ms windows server 2008 I think), and about 15 workstations running vista 32 bit (engineering and office software). The server was usually running 24/7. We used to take incremental backup every evening and full backup about once a week. The attack seems to have started in the weekend. Monday morning, colleagues found that their files on server were inaccessible, with their filenames altered (something added to the filename at the end). Some html files were added into the folders, giving a email address where we could ask what to do in order to take our files back. The IT engineer (external) knew already a few things about this kind of attack and said we have to do nothing to contact them, because they are not trusty people, so they could just take the money leaving things in that state. He managed to mount a backup drive in one of the workstations (there is no spare server machine) and this manner the company could continue to work until the main server was restored from backup. This restore went on for the remaining of the week. He investigated how the malware was able to enter the network but couldn't find anything. He checked all local computers and disks, email etc. One of the workstations was totally infected too, as well as two other workstations partially infected (my own workstation contained a folder where the network-attached scanner would send directly scanned documents).

There were 2 more similar attacks later (1 year or some months). It seems that during one of them, the infection started before or during the backup operation. So, the backup was infected too and we had to go to previous backup sets. The bad news are that probably something happened to the server's system it self (one of the administrator's accounts) and this went on for several months, until the entire system was replaced my new hardware+software. Nevertheless it is probable that the system's damage occurred in a different time and was already in previous backup sets. Of course it would be perhaps safer to reinstall the server from scratch but I can't imagine how long it would be to update the system for 7-8 year updates.

It is interesting that norton antivirus was running on all workstations during the first attack (but not on the server computer). After that, an antivirus license has been installed in the server too, nevertheless it didn't seem to prevent further attacks. It is possible that the attack came directly to the server from the internet connection. I don't know anything further about this, just to tell that the antivirus did not prevent it.

In the new network, email accounts are provided by gmail professional subscriptions, however email is read and sent by ms outlook that I *hate*. Furthermore, they couldn't transfer my email archive of 15+ years @#$%^&**&^%$#@

Wow.
I wonder how many real-world scenarios are like this: you know there's something bad on the network, but you cannot find and squash it, even with "specialists" and antivirus - until you decide to scrap it all and start from scratch - such drastic measures!

I think there is an important difference between an office server and a home desktop or laptop machine. Ransomware attacks on home computers are unlikely to be profitable because most home users don't have access to bitcoin and don't have the money to pay large ransoms anyway. Malware for the home user is far more likely to take the form of a keylogger to steal banking passwords or a back door to turn the machine into part of a botnet for spamming or for ddos attacks.