Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Phisher Kings Court Your Trust
BusinessWeek Online ^ | June 2006 | Brian Grow

Posted on 06/08/2006 6:48:20 AM PDT by BenLurkin

Computer-based fraudsters are finding new ways to trick people -- not technology -- to get the information they seek

"Lawsuit against you," reads the subject line in an e-mail that hit thousands of in-boxes around the world last month. In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office. Citing U.S. civil code, its prohibition on sending junk faxes, and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax.

"If you do not pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the document attached to the e-mail.

In today's litigious -- and digital -- society, being notified of a lawsuit via e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that preys on deep-seated fears of being hauled into court. Its target: unlucky recipients who may indeed be among thousands of companies that send junk faxes.

Go to BusinessWeek Online to view the slideshow

SPAM SANDWICH. The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates.

"This is one of the most innovative ideas used by spammers to target unsuspecting users," says Govind Rammurthy, chief executive of computer security firm MicroWorld Technologies, which sent out a warning about the lawsuit.exe scam in March.

As Web-based scams proliferate, it's often psychological cunning, deployed on top of surreptitious code, that is the secret to cyber-criminals' success. Like traditional con men on the street, Internet fraudsters need a never-ending supply of ways to convince victims to trust them -- to open an attachment, click a link, or innocently enter personal data on a Web page.

IN YOUR HEAD. Overpowering instincts, rather than firewalls, is the surest means, say analysts, to pickpocket personal identities and online bank accounts. "You can't install a software patch for a person's mind," says Barry C. Collin, chief executive of cyber-security consulting firm Threat and Risk Associates.

In fact, security analysts say hackers are spending serious effort in researching the psychological vulnerabilities of potential targets. Security firm TrendMicro's director of global education, David Perry, says they watch news headlines for poignant world events and often review the success of an attack by reading press releases and corporate warnings, in order to tweak the next attack for greater effectiveness.

Hackers also look for situations of confusion to exploit, such as a corporate merger. For example, at Vigilar's Intense School in Ft. Lauderdale, Fl., where they train people in ethical hacking to help fortify digital defenses, they use a bogus e-mail from someone pretending to be a helpdesk employee trying to verify account data for a database that is being combined in the wake of a merger.

TRUST ME.... "There is a lot of implied trust that you can manufacture -- and exploit," says Ralph Echemendia, an info-tech security instructor at Vigilar's. Echemendia used the 2004 merger of Wachovia and SouthTrust as a model to deploy the script and tap merger chaos.

Analysts say phishing attacks also often spike after a data security breach hits news headlines. The reason: Customers are already anticipating a potential request to update account data and monitor credit reports.

"It makes them more vulnerable to psychological scams," says Herbert H. Thompson, chief security strategist for Security Innovation.

ONE-TWO PUNCH. Take the case of a phish targeting Citibank customers this year. To build trust, it operates in two phases, say analysts. First, an e-mail purportedly from Citibank warns that customer accounts may have been compromised in a previous scam. But it doesn't ask for personal information.

Instead, the scam requests an e-mail address, just in case the victim's account is found to be hacked. Then, later, a second phish is sent out warning that, indeed, the account has been compromised -- and requests an update of financial details.

"Trust was built in the first step. Then, in the second step, they asked for confidential information," says MicroWorld's Rammurthy, who estimates some 60% of victims who received the second e-mail provided personal and financial data.

Indeed, with overall returns from phishing attacks falling, Web criminals are succeeding in finding novel new ways to convince users to open documents or click links that download data-stealing software onto PCs. Instead of directly asking the user to enter personal data into a fake Web site, cyber-criminals are embedding code into fake news articles or business-oriented "requests for proposals" which, when opened, install a backdoor into the PC, then log keystrokes. Russian security firm Kaspersky Lab estimates the use of data-stealing code designed specifically to steal financial information, known as Trojans, rose 402% in 2005.

SHARING THE STEALTH. The upshot: Fewer people are, themselves, coughing up personal info, but fraud losses continue to climb. A 2005 survey by Gartner found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web still rose from $690 million in 2004 to $1.5 billion last year. "If I'm a scammer, I have to do something that will make you trust me," says John Pescatore, senior vice-president of Internet security at Gartner.

Law enforcement agents say that while the thinking behind cyber-scams is not much more complex than age-old cons run by offline grifters, it's clear cyber-criminals are pooling their brainpower to devise new techniques. A DVD available in foreign black markets called "Hacker's Handbook" contains scores of tips on how to trick victims, according to Trend Micro's Perry.

Former hacker Kevin Mitnick, who now runs his own security consulting firm, hosts a two-day "social engineering" conference for clients that includes sessions entitled "Bugs in the Human Hardware." At hacker sites such as mazafaka.ru and astalavista.box.sk, criminals often share ideas on how, for example, to exploit new state laws in the U.S. requiring firms to issue warnings when customer databases have been hacked.

ROYAL SCAM. Some scam artists still plot the old-fashioned way: by holding physical court. Law enforcement agents say Nigerian fraudsters often gather in Internet cafes in the country's capital, Lagos, to concoct the newest bait.

Famous for pioneering so-called 419 letters -- pleading e-mails from bogus foreign businessmen seeking to move money out of their country by tapping U.S. victims' bank accounts -- the Nigerian scammers are now establishing romantic relationships in online dating Web sites in order to dupe lonely love interests into giving up financial information.

"It's group brainstorm," says Gregory S. Crabb, a senior investigator for the U.S. Postal Inspection Service in Washington, D.C., who has hunted cyber-criminals around the world.

CHEAP THRILLS. Hackers are even finding ways to take the pain out of writing malicious code, a move that may enable more concentration on upgrading the psychology of the cyber-scam. On Mar. 24, security firm Sophos said it had discovered a Russian Web site selling a spyware kit called WebAttacker for less than $20. The pre-fab software downloads a program that tries to turn off PC firewalls, then installs a keystroke-logging device.

Already, it has been spammed-out via e-mail touting news stories about bird flu and the recent death of ex-president of Serbia, Slobodan Milosevic. The technical skills required to be a cyber-criminal have been removed as an entry-level barrier. "In order for the cyber-crime business to continue, it is going to rely more and more on social engineering," says Ron O'Brien, senior security analyst at Sophos.


TOPICS: Computers/Internet; Education
KEYWORDS: computer; computersecurity; identitytheft; phishing

1 posted on 06/08/2006 6:48:22 AM PDT by BenLurkin
[ Post Reply | Private Reply | View Replies]

To: BenLurkin

Rule #1 - never believe anything.

Rule #2 - if it seems air-tight believable, refer to rule #1.


2 posted on 06/08/2006 6:57:06 AM PDT by Hegemony Cricket (Rugged individualists of the world, unite!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

3 posted on 06/08/2006 7:04:40 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BenLurkin
In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office.

And if you don't have a fax machine or fax capabilities, like (say) me, you laugh at the scam, delete the e-mail, and go about your merry way, never suspecting that some goober would write 1,300 words about it.
4 posted on 06/08/2006 7:06:27 AM PDT by Xenalyte (There are some things money can't buy, like a dinosaur.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BenLurkin

Further, those stupid enough to open an EXE attachment deserves the virus they will surely get.


5 posted on 06/08/2006 7:07:20 AM PDT by Xenalyte (There are some things money can't buy, like a dinosaur.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Xenalyte

Indeed!


6 posted on 06/08/2006 7:07:50 AM PDT by BenLurkin ("The entire remedy is with the people." - W. H. Harrison)
[ Post Reply | Private Reply | To 5 | View Replies]

To: BenLurkin

Even my AOL-using parents know better than that. ;)


7 posted on 06/08/2006 7:09:13 AM PDT by Xenalyte (There are some things money can't buy, like a dinosaur.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: BenLurkin
eBay and PayPal Phisher's are getting very clever with their scams. I bought a old bottle on Sunday and later had a "Second Chance Offer" asking me to sell them the bottle because it had sentimental value to them. I thought , why didn't they buy it on the auction as I bought it for $10 and there had been several of these bottles sold.

I should have forwarded to spoof@ebay.com but deleted it instead...
8 posted on 06/08/2006 7:53:10 AM PDT by tubebender (Tagline...I don't need no stinking tagline...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BenLurkin; ShadowAce
Follow up to my post #8. I dug that message out of the trash file and sent it to spoof@ebay.com and got back the usual canned reply and then the followup...The email you reported was not sent by eBay. We have reported this email to the appropriate authorities.

Just Dam! This thing was so well formated that the average ebay buyer would click on it...

9 posted on 06/08/2006 11:19:35 AM PDT by tubebender (Tagline...I don't need no stinking tagline...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: tubebender

Interesting!


10 posted on 06/08/2006 3:09:42 PM PDT by BenLurkin ("The entire remedy is with the people." - W. H. Harrison)
[ Post Reply | Private Reply | To 9 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson