March 31, 2008
Each Monday, we'll discuss a few notable articles from the past week. These articles will touch on topics relevant to the email sender and ISP communities. Some topics of note will be phishing and spamming, email authentication, branding, online advertising, email statistics, and others.
I'm Seth Redmore, and I'll be your host while you're here. Thanks for joining us. Please feel free to drop me a
with thoughts or opinions.
TechNewsWorld brings us our first article…
Which I'm choosing because it has an awesome headline:
“Teach a Man to Phish and He'll Feed on Fools for a Lifetime”
I bet that headline had it spelled as "Phools" before it went to editing.
Oh, BTW, happy April Phools Day. This is all genuine content. No liberties have been taken; it's far better on its own than I could ever make up.
The rest of the article goes on to describe increased sophistication in phishing, particularly in the area of regionalization (moving to personalization).
“Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits, according to a new McAfee Latest News about McAfee report released Feb. 21. One of the newest tricks of the phishing trade is capitalizing on regional lures. Part of this new tactic involves creating malware that is specific to each country.”
(snip)
“"This isn't malware for the masses anymore," said Jeff Green, senior vice president of McAfee's Avert Labs. "Cyber-crooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They're not skilled just at computer programming -- they're skilled at psychology and linguistics, too."”
The second-best part of this article is that they introduced me to a great new buzzword. See if you can find it.
“"Phishing continues to evolve in new ways. Spear phishing is the newest approach," Brian Lapidus, chief operating officer of Kroll's Fraud Solutions, told TechNewsWorld.
In order for spear phishing to work, the phishers need advanced insight into their potential victims. This kind of phishing requires incredible levels of targeting, he explained. The phishers need to know key details about their potential victims.”
Spear phishing, indeed. So, now the question that I must raise is: “Can we come up with other kinds of phishing?” A few minutes of thought and Google searching brings us:
Sport Phishing: “We're not really doing it for the money.”
Surf Phishing: I just used your browser history against you.
Fly Phishing: Where you target particularly attractive women.
Catch and Release Phishing: “I'm just doing this so that you know you're vulnerable”
Bass Phishing: Phishing for musicians on MySpace
…and the list could go on, but I shall not. (Link)
On a more serious note, Digital Transactions News (a periodical focusing on electronic money exchanges and issues thereof) brings us…
…a rather disturbing figure
“Just 20% of banks covered by the Federal Deposit Insurance Corp. use technology that can increase recipients' assurance that e-mail messages are legitimate, the report says, relying on survey data from the Authentication and Online Trust Alliance. By contrast, 51% of Fortune 500 consumer companies do. Such technology, for example, allows recipients to check whether a given e-mail message comes from a trusted Internet Protocol address.”
In all fairness, this includes banks both big and small, but, playing on the “spear phishing” theme:
“The increased precision of phishing attacks has meant that fraudsters have moved down the food chain, viewing smaller financial institutions, such as credit unions, as targets,” says report author Nick Holland in the report”
So, while big banks are the obvious target, you're not safe even if you just belong to an employer's credit union.
“The fly in the ointment remains phishing as a means of undermining both e-mail and Web channels,” Holland says in the report. “Even for institutions that feel comfortable regarding their control of the e-mail channel, the uncontrollable nature of phishing looms over all such initiatives.”
This final quote in the article is most disturbing when taken in context of some figures that they bring up earlier:
“Some 94% of banks surveyed by Aite between January and March said they already used e-mail alerts or had plans to. The corresponding figure for banks using or planning to use banner ads in e-mails was 72%. Aite received responses from 18 of the 60 largest banks by number of checking accounts. While the banks report 12% of active users of online banking are enrolled to receive alerts, they expect nearly one-third to be enrolled by the end of 2009.”
So, in other words, you should be expecting email from your bank. How do you know to trust it? (Link)
Spear phishing for physics students…
From the Daily Free Press (the student newspaper at Boston University)…
“A second "phishing" scam hit Boston University March 20, this time targeting the physics department, but Office of Information Technology officials said students and faculty are now outsmarting scam messages.”
So, 2 questions:
1) Why the physics department? I mean, did they sit down and say: “What is the potentially smartest group of people in the university, and how can we go after them?” That, we will never know.
2) Why universities and university students? These aren't exactly piles of money sitting around. Fortunately, we do know the answer to that one.
“Stone said phishers target universities because once an unsuspecting person responds with his login name and Kerberos password, the scammers can use that email address to send more spam mail.”
Oh, ok. That's why. It's a good reminder that phishing is an information game – it's all about getting information – some information is directly monitizable, and some requires a few more steps. Like getting legitimate email addresses for spam purposes.
And a bit of rationality from a physics professor… (fysics professor?)
“William Skocpol, a physics professor who received the email, said Internet safety is a major concern and everyone at BU should learn to be responsible.
"No student should matriculate, let alone graduate, without having learned the collective responsibility that we all share," he said. "Similarly, faculty and staff also need regular reminders, just like we have to take laboratory safety courses over and over again."”
Just like sex ed, it's important to have good email safety education.
Sadly, I think that the good professor has a bit of a naïve view in other ways:
Skocpol said the phishing scammer was most likely unaffiliated with BU, because the consequences could be severe if the message's sender was internal.
"BU persons, if discovered, would be subject to swift justice, including expulsion or termination," he said. "Nor would a BU person have the infrastructure to systematically profit from information obtained."
Really? I'm surprised that he'd think that in all of Boston University, a school with over 30,000 students, there aren't a few who have the connections and knowledge to profit from spam and phishing. As for the technical infrastructure, that's just easy. (Nothing against Boston University– just making a point.) (Link) |
