11/10/2015

Ask the Experts: What's a Spear Phishing Attack?


1

Alexandra from Delaware called in asking, "I heard something on the radio about new threats from online 'spearphishing' attacks, and I'm looking for antivirus software that protects against them.

"What software does that?"

It's no surprise that people are starting to hear stories like the one Alexandra heard because even the FBI has been writing about spear phishing for some time now.

Since there are a couple of questions here, let's take 'em one at a time.

What's a "phishing" attack?

Before we look at spear phishing, let's look at garden variety phishing attacks.

Phishing attacks come typically (though not always) as email. In some, though not all cases, they're flagged as spam.

Regardless of whether or not they're flagged as spam, the goal of the email is for the scammers to trick you.

They want you to reveal your bank, credit card, social security, or other personal info so they can steal your cash or your identity.

Now, what's a spear phishing attack?

Thus far spear phishing mainly happens to people at their workplace. A devious criminal gets ahold of YOUR specific information or your company's.

Often, they'll take their time carefully learning about your company, the employees, who's who in it and such so they can craft a perfect email.

Who's the CFO or comptroller? Who's the CEO? Who's the Chief Marketing Officer? And so on.

Then they forge an email from one person with authority to another. Usually there's nothing outwardly fishy about it.

Sometimes, if you're observant, one little thing will fail to pass muster.

For instance, Joe in accounts payable gets a forged spear-phished email that's supposedly from the CFO saying,

'Hi Joe,

'Please send a wire immediately to XYZ Bank, account 1234-5678-90 for $74,092.23 for the initial payment on our contract with the new consultants we're working with.

'They won't start work until they receive the deposit, so please make sure it goes out immediately.

'I'm heading out early today, so please contact: Joe Jones at ABC Consulting (555) 555-5555 if you have questions.

'Mary'



What the spear-phisher does is a couple of things:

  1. They give urgency. "They won't start work until..."
  2. Mary probably isn't even leaving early, but by telling Jane she is leaving early, it makes it so Joe isn't supposed to contact Mary with questions.



Instead, Joe is instructed BY the spear phisher to contact the spear phisher(!) with questions.

In some cases, Internet security software can help prevent these attacks. These are rare and only happen if the phisher has sent Joe a link to a bogus bank or other website.

So, in most cases, your antivirus software can't protect you.

What can? Knowledge.

In most cases, the only way to prevent these attacks is *thinking* about things and questioning the validity of the content of emails.

Here's a (very) quick how-to:

STEP 1:

Does everything look legit in the email? Sometimes a spear phisher will fail because of tiny, tiny details like how Mary signs her name. Maybe she usually signs emails as --M. Maybe she always includes a certain signature file.

If one comes in now signed "Mary," or with no sig file, you need to start questioning more deeply.

STEP 2:

Check the email "from" and "reply-to" addresses. Are they legit?

STEP 3:

Even if Mary *is* leaving early, surely anyone sane wouldn't mind getting a call from Joe to confirm an outgoing wire for $74K. If Mary gets upset, she has no business being CFO.

BONUS STEP 1:

Put in place an set-in-stone absolutely iron-clad system for outgoing expenditures.

In one firm where I was CTO, requests for wires HAD to be done IN person ON paper and had to be signed by two people, the requestor and a C-level executive, typically that person's boss. Wires were sent twice weekly, no exceptions.

Yes, this created (rare) problems, but they were far smaller than the problems created having money stolen.

Doing it this way meant: we had a process. We had a clear chain of responsibility. And, we were never, ever victims.

BONUS STEP 2:

Setup and enforce the use of digital signatures, like those from OpenPGP or GnuPG. It will take work to setup an email signature system like one of these. It will. Aside from the work involved in initial setup, they're not a silver bullet. Incredibly helpful, yes. A silver bullet no.

Even still, they help, and no matter what it's still less work—and less expensive—than trying to recover lost funds, which seldom works.

10/14/2015

Phishing by Phone. What Are They Thinking?!


Phone

By a bit of serendipity, Josh and I each got phishing attempts in the past few days.

Granted, we get a lot of phishing and malware emails. After all, we have secret email addresses we use to intentionally collect malware and phishing attempts the bad guys are sending.

It lets us see what the latest attacks are and lets us accurately test the antivirus software against the latest threats.

What made these particular phishing attacks different was they happened by phone.

Since it was, I got to have a bit of fun with the phisher.

And, even though you might get a good laugh, hopefully, it'll help you to remember to be as wary of phone calls as you are now of clicking links in emails.

Here's what happened...

I answered the phone at my office as I usually do, "Hello, this is Kevin."

"Hi, Kevin. This is 'Ron' I'm with the Wells Fargo fraud team. We've detected unusual activity on your account.

"Have you travelled to London recently?"

Since I don't have a Wells Fargo account, the gig was up right there for him, but I decided to have a little fun.

"Oh, gosh, I'd love to go to London!" I said.

Thrown by my reply, the best he could muster was, "Yessir. And have you been there in the past two weeks?"

Fish & Chips (with a Texas Accent)

At this point, I decided to give him the best Texas accent I could muster.

"Well, let's see. I guess you might say. I have done a fair bit of travelin'. First I was—sorry, we were—in Leicester. Had a wonderful fish-and-chips at a pub richt thar.

"My wife, girlfriend, and our thirteen kids, well technically I'm not sure if four of the rugrats are mine, but after five or

 

six, what's another?

"Love 'em all just the same.

"So we were in Leicester, the wife, girlfriend, kids and me, when one of the kids decides to wander out of the pub. Shooooot, it musta been two in the mornin'.

"Don't know what the little bugger was thinking, so he wanders out into the street. No idea how long he was gone.

"I guess the coppers must've scared him because he wandered back in. Knees looked a bit skinned, but the girlfriend tended him, so it was no concern of mine.

"After Leicester, we made our way to Brisbane for the night. Wonderful city."

"Pert near a fortnight there and we were off to Timbuktu, which if you've never been, is a real city. Sure as shootin.'

"Good luck trading your money there though, let me tell you."

How 'bout an American Express?

"So glad I had my American Express card. Don't leave home without it, I always say. So you're with American Express you say?"

"Uh. Yessir. I am. Your travel to, uh, these places. It. Uh. It has set off fraud warnings in our system."

"I need to confirm your card is in your possession. Do you have it?"

"Oh sure. Let me dig around for it. One of the kids must've just used it for some Minecraft thing or another."

At this point I put the phone down, found some sounds online of kids playing and put the phone next to the speakers, while pretending to rustle papers around.

Those Doggone Kids

Every couple of minutes, I'd shout some obscenities with a random kids name.

Every few minutes I'd go back to the phone, apologize, and tell him to hold on just another minute.

I could tell from the exasperation in his voice, my gig was almost up, but I wasn't done with him yet.

Time for a Boston Accent & a Discover Card

Switching now to a Boston accent, I went on,

"Gosh, I'm sorry. The wife and girlfriend left a while ago for some a little shaawpping. They took one of the Ferraris and left me with awl these kids.

"I just don't know where my Discover khad is."

"Oh, that's no problem. We'll just look it up with your social security number."

Darn... Maxed out the Social Security Card, too??

"My social security number? Oh, heck, I stopped using that credit caaad years ago! Maxed that thing right out. Can we use something else?"

"Sir, your social security number isn't a credit card."

"Oh right. That thing. Haven't used it in years either. I don't think I can find it."

"You don't know your social security number??"

"Well, not since little Frankie ran over the neighbah's pet alligata back in '86. Had to get the heck out of Dawdle afta that. Moved to Canada for a couple a years.

"Let me tell you, getting fifteen kids, the wife, the girlfriend, AND the Ferraris across the border took some doing.

"Oh wait, we had the Porsches then. Air-cooled engines. Great sound.

"So, no, I guess I don't really know my social security number anymore. Isn't there anything else??"

At this point, 'Ron' was nearly in tears. It was bliss.

"Well, we could use your checking account, full name, and address. The one you use to make payments with."

"Oh, right, sure thing. Easy. Peasy."

Those Pesky Kids Are Back / The Surfer - Valley Girl Arrives...

At this point, I repeated the kids shouting / playing sounds routine and pretended to rustle through belongings and occasionally shouted random kids names again.

Upon returning, I'd gone part California surfer, part Valley Girl.

"Like. I can't find the doggone check book either. Don't that like just take the cake, dude.

"I bet those two are really going to do some damage. Last time they went out together with the Visa and my checkbook, they said they were just going for a manicure but came home with a new Ferrari.

"Love those two.

" Heck, with all the kids' puke stains on the back seat, I guess it was time, man. Thing probably had 4,000 miles on it anyway.

"You know, now that I think about it, OMG! I'm not sure if they even got manicures that day."

"Well, let's confirm the account details we do have here on file, and I can call later to get the rest of the information."

"Oh. Right. Sure."

"...your full name as it appears on your account, sir?"

"Kevin Hfuhruhurr Armani Dior Steve Stifler de la Cruz IV."

Hfuhruhurr can be a real bugger to spell apparently.

Exasperation level: 10/10.

"Street address"

"Well, we don't really have a 'permanent address', air quotes!! ...you might say...Not with like the, you know, like, alligator incident in '91 and all."

Are You Telling Me the Truth?

"Sir. Are you telling me the truth? Or are you just making things up now?" he pleaded.

"I'm telling as much truth as you are."

"OK, I guess the gig is up for both of us."

"What's a 'gig', sir?"

"In this case, it means 'scam." I said. "Let's drop the bullshit. You called me trying to steal from me. You're not my bank. You're a scammer. Where are you, someplace in India?"

The Long Silence: Part I

After considering his options, 'Ron' decided to come clean.

"Yes. I'm in India."

I pressed on, "And this call, it's a total scam, isn't it?"

"Well. I wouldn't call it that."

"Oh, right. You're from my bank. Wells Fargo, you said. Here's the funny thing: I don't even have an account there."

'Ron' went on to confess he'd been doing it for about three months, and that the money wasn't great, but it was enough to feed his family.

I asked him how he'd feel if someone stole money from his family, and they couldn't eat.

"I never thought of it that way..." he began, "The banks pay everyone back. No one gets hurt."

"Hate to burst your bubble, 'Ron,' but that's not how it works. When you take money from someone's bank account, it's a looooong process for the victim. It takes weeks to even try to get the money back.

Sometimes, the banks say, "No," and the victim loses the money.

"There's really no difference between what you're doing and a mugger on the street: YOU are a thief telling money from people."

The Long Silence: Part II

After another long silence, I added, "You can try to justify it to yourself anyway you want, but you're a thief, 'Ron,' plain and simple. Does your wife even know what you're doing."

"No. She thinks I'm in tech support."

"Huh. That makes you a thief and a liar. A liar to your own wife. If you're earning enough to make a living stealing from people, you must be pretty convincing. You must be a pretty good salesman."

"I guess I am?" he said, almost asking me if I thought he was.

The Long Silence: Part III

"I guess... I just... I don't know..." he whispered, "I don't know what to do, sir."

"Maybe you should quit this shit, stop stealing from people, and go get an honest job, perhaps in sales." I offered, "Then whether or not you come clean to your wife is up to you, but at least come clean with yourself. Get out of there, brother."

"Thank you for your time, sir."

The Takeaway

The scams are out there. They take many forms.

Sometimes phishing scams come by email; sometimes they come by fax; sometimes they come by phone or even text message.

Even if it's a phone call, fax, or text, there's no reason to trust it. Call 'em back.

And, if you think you can trust your Caller ID: don't. It's a fools errand.

"Spoofing" Caller ID so that it looks like the call is coming from a different number is trivial. Typically, scammers like 'Ron' really just need a T1 phone line.

After that, they can make the caller ID say anything they want.

In fact, in a lot of ways it's actually easier to fake a phone number than it is to setup a whole fake website to do phishing.

On top of that, nearly all email providers are actively working to thwart the bad guys and prevent their emails from getting through. When was the last time your phone company even lifted a finger to prevent a fake or harassing phone call from getting through?

Add to that, the challenge of getting by the anti-phishing filters built into most Internet Security Suites, and setting up a T1 line is downright easy.

Consider this, too: if you get a call from your bank, and there's a legitimate issue, they'll understand your concern for security, and your wish to call them back.

On the other hand, if the caller gets agitated at this suggestion, it's all the more reason to be suspicious.

04/02/2012

New Phishing Tricks by the Bad Guys



UPDATE: Looks like I'm not the only one getting these emails!

Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware

One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.


Sometimes, you really just have to laugh.

I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.

It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.

Here's what it looked like:



Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:

Domain ID:D5073610-AFIN
Domain Name:RUPEERUPAYA.IN
Created On:27-May-2011 21:14:29 UTC
Last Updated On:27-Jul-2011 19:20:22 UTC
Expiration Date:27-May-2012 21:14:29 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R101-AFIN)
Registrant ID:CR84151356
Registrant Name:ian jamieson
Registrant Organization:perdita & pongo llc
Registrant Street1:po box 2225
Registrant City:manchester ctr.
Registrant State/Province:Vermont
Registrant Postal Code:05255
Registrant Country:US
Registrant Phone:+1.8022360304
Registrant Email:[email protected]

Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.168.172.1 by GoDaddy.

It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.

The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.

Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.

For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.

Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.

Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:



As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between
  1. the "US Airways" link mysteriously going to a .in website...
  2. it being registered to an "ian jamieson..."
  3. and VIPRE ISS blocking the first thing on the site as a trojan
This is a malicious website and a phising/spear-phishing attack.

Now, it's time to contact GoDaddy to get the site yanked before more people get infected.

Oh, and in case you're wondering here are the threat details from VIPRE:

12/08/2011

Ask the Experts: Do I Need Antivirus Software?

Martha tapped a note out to us today that asked,
I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Here's my reply: (with a little extra added here for clarification)



Thanks for writing, Martha.

I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)

The first question here is:

Do I need antivirus software?

Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:

What would happen if your PC got a virus?

The main risks of viruses are that they tend to be:
  1. destructive
  2. personally invasive
  3. resource thieves
The first thing is easy to understand. Viruses can delete your files.

If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.

On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?

As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.

Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?

The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".

Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.

Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.

As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.

How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.

12/05/2011

Ask the Experts: What's the difference between antivirus and Internet Security software?


5

Easily one of the most Frequently Asked Questions we get is,

What's the difference between antivirus software and an Internet security suite?

Right on the heels of that is the next one, Is the upgrade worth it?

Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:

  1. firewall software
  2. malicious website filtering

firewall software

Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)

Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.

The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.

What's the point?

You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.

So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.

malicious website filtering

You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."

Who knows.

In either case, the bad guys are on the prowl and are:

  1. secretly taking over legitimate sites and installing their viruses onto them
  2. buying domain names that are typos of legitimate sites
  3. sending spams and phishing emails

Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.

Is the upgrade it worth it?

Yes.

In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.

Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.

The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.

And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.

08/25/2011

Android Malware, Adobe Exploits, Spam Volume & More in the McAfee Quarterly Threat Report

In their most recent McAfee Threats Report, antivirus & security software vendor McAfee covers a lot of ground in the malware arena.

Here are the highlights:
  1. Android is now the most highly targeted platform for mobile / smartphone malware.
  2. More successful legal actions are being taken against cybercriminals
  3. 22% increase in malware samples over 2010
  4. On pace for 75 million malware samples by the end of 2011
  5. Fake antivirus software continuing to grow
  6. 38% increase in rootkits (stealth malware) over 2010
  7. Adobe outpaced Microsoft for security exploits in their software (Acrobat, Acrobat Reader, etc.)
  8. After a brief up-tick, spam is again declining
  9. Over 7,000 new malicious websites per day
  10. Over 2,700 new phishing websites per day
What are the take aways from it?

  1. Smartphone viruses are here, they're real, and they're growing.
  2. It isn't just a matter of keeping your OS updated. You've got to update all the software on your system regularly. Adobe Acrobat/Reader is proving that.
  3. Antivirus software is a must.

07/08/2011

[Alert] Free "Smiley" hats & Free Vans shoes a Scam

So far over 300,000 people have been duped into "liking" a facebook page that claims to offer the first 750,000 people who like the page free "Smiley" hats and Vans brand shoes.

Here's what the junk Smiley Hat scam looks like in your facebook account:
...and here's what the fake Vans shoes scam looks like:
Sophos, an antivirus software company specializing in business-oriented antivirus software, appears to be one of the first to break the news of this latest scam on their blog with the aptly named page: "Smiley Hats Vans Facebook Scams".

Graham Cluley, who wrote the piece for Sophos sums it up, saying,
...do you really believe that you are going to be sent a smiley hat?

"And who is this un-named company that is planning to ask 750,000 people for their name and postal address?

"Is it possible they are planning to do anything else with that information if you hand it over to them?


And what - seriously - are the chances that they are going to spend the money shipping that many hats to people who don't even know what brand it is that they are promoting.
Here's my $.02.

If it's legit, how are they planning to collect mailing addresses for that many people?

Think about it. Seven hundred fifty THOUSAND people.

Let's assume the mailing cost alone is $2/hat, we'll be optimistic.

You're talking about 1.5 *million* dollars just in mailing costs. Oh, and what brand is being promoted? Who's footing the bill for mailing the hats?

And we haven't even talked about the technology required to track that many addresses, link them to facebook accounts, and ensure everyone has been mailed one (but not several! hats) as it's going to take days--or even weeks--to get everyone to send in their addresses for the hats.

Oh, yah... and what about the cost of the hats themselves?

Even if they're $1 a piece to make, you're still talking about another $750,000 in costs. All with no mention of a brand behind it.

Methinks there's a rat in here somewhere.

As for Vans, Cluely says they're already disavowed the promotion for free shoes with this post to their official Vans Europe facebook page,


What should I do

If you've already liked either of these scams, do yourself--and your friends--a favor and at least "unlike" them. No reason to help the scammers get any further in their ploy to get your personal information.

Next, pay attention to your inbox. There's little question these scammers are looking to get at your email address to send you spam, phishing, and even spear-phishing emails.

Pay attention to what you click in your inbox. Think about what you're clicking on and who might have really sent that email to you.

And, let's remember: Facebook really is an incredible site with a whole world inside. The problem is, there is a whole world inside, good people and scammers alike.

Just because you're "surrounded" by friends in facebook, doesn't mean you get to check your street smarts at the [login] box.

The bottom line here: if it sounds too good to be true, it probably is.


Thanks and credit to Sophos and Graham Cluely for the find and the screenshots.

04/07/2011

Epsilon Break-In... What's the Lowdown?

By now you've probably gotten notice, as I have, from at least one bank / credit card company / financial institution that, Epsilon, the company they use to send email messages to you had a network breach.

Looking at even a short list of affected firms, Epsilon, a company most consumers have never heard of, appears to have (or to have had) a sizable portion of top banks in the U.S. amongst its client base.

But, it wasn't just banks that were hit.

It's just about every type of business imaginable, and chances are very, very, very high you've dealt with at least one of these companies. (Major hat tip to Brian Krebs of Krebs on Security who has been doing a stellar job keeping atop this list as more companies are added to the growing list of companies affected by the Epsilon break-in.)

Companies Affected by the Epsilon Break-In (So Far)
  • 1800-Flowers
  • Abe Books
  • Air Miles CA
  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Beachbody
  • Bebe Stores Inc.
  • Benefit Cosmetics
  • BestBuy
  • Brookstone
  • Capital One
  • Charter Communications (Charter.com)
  • Chase
  • Citibank
  • City Market
  • The College Board
  • Crucial.com
  • Dell Australia
  • Dillons
  • Disney Vacations
  • Eurosport/Soccer.com
  • Eddie Bauer
  • Food 4 Less
  • Fred Meyer
  • Fry’s
  • Hilton Honors
  • The Home Shopping Network
  • Jay C
  • JP Morgan Chase
  • King Soopers
  • Kroger
  • LL Bean
  • Marks & Spencer (UK)
  • Marriott Rewards
  • McKinsey Quarterly
  • Moneygram
  • New York & Co.
  • QFC
  • Ralphs
  • Red Roof Inns Inc.
  • Ritz Carlton
  • Robert Half
  • Smith Brands
  • Target
  • TD Ameritrade
  • TIAA-CREF
  • TiVo
  • US Bank
  • Verizon
  • Viking River Cruises
  • Walgreens
  • World Financial Network National Bank

Alright, so what's the big deal?

Well, for starters, it means spear-phishing risk for Y-O-U if you've ever had dealings with any of these firms.

While it's not yet perfectly clear what personal information was stolen from Epsilon, it's definitely clear names and email addresses were. What also isn't clear is if the companies with whom you have the relationships were stolen.

And, that's where a part of this becomes especially tricky.

If the spammers know you're a Target customer, for instance, and they know your name, and of course, your email, they can send you an email that looks perfectly like legitimate email from Target.

(N.B. We use Target only for illustrative purposes in this piece, not for any other reason. You can replace "Target" with the name of any of the other companies above with whom you've personally done business.)

Now image your email sent to [email protected] addressed to YOU in the email and looking and sounding like it's coming from Target.

Imagine something like the following:

Subject: Get a $100 Target gift card... on us!
From: Target Stores <"[email protected]">
Date: April 7, 2011
To: Nicole Campbell <"[email protected]">
Hi Nicole,

Thanks again for your recent Target purchase!

We're writing from the customer satisfaction division with a brief survey of your online or in-store shopping experience.

As a way of saying, "Thank you!" all survey participants will receive a free $100 gift card from Target for use anytime.

Click here to get started.

Thanks again,
Your friends at Target and Target.com


And, here's where the scam is just unfolding.

Kroger, for instance, recently saw its customers lured by spams apparently from the Epsilon breach.

Quoting Krebs from his piece, he says, In most cases, the spam sent to customers of these companies pushed recipients to buy dodgy services and software.

In at least one attempt email recipients were pushed to buy Adobe Reader, which is free software.

Why? How are they making money if the software is free?

There's the catch: in most cases like these, you're not really buying anything, and here's what has happened:

You've just given the spammers/cyberthieves your credit card number and "permission" to charge your card. If you're lucky, they only charge your card for as much as you've given them permission to. If you're really lucky, they don't give you a virus or spyware to download instead of the real software.

Whatever the case, you may be facing a hefty credit card bill and some serious phone calls and letters to your credit card company to get them to absolve you of the charges.

Now, back to our Target example.

There are countless ways the spammers could spin things to get you to (a) give them your credit card number and/or (b) download a virus or spyware

  1. You need our special free "survey software"
  2. Your browser needs a special free plug-in to take the survey
  3. You need to upgrade your Adobe Reader for $10 to take the survey to get the $100 gift card

The list could go on-and-on.

So here are the take home messages from the Epsilon break-in:

  1. Use your head when it comes to messages emailed to you
  2. Just because something is addressed to you and addresses you by your name, doesn't make it legit
  3. Does the email have "free" offers or ways to earn gifts or money for very little work
  4. Were you expecting to receive the message? (If you just signed up to get coupons, and a coupon email comes five minute later, it's probably safe.)
  5. How are the grammar and spelling in it? Commonly the bad guys are overseas and their English is often imperfect, and other conventions are often different from ours.

    Commonly you'll see a price in a scam email written as 35$ instead of $35 as is the convention here in the U.S.
  6. Are they asking you to "verify" anything. Let me tell you something: companies don't need you to verify anything. Ever. You got their email, they know who you are. An email asking for verification is almost definitively a scam.

These are just a few things to be on the lookout for. Most importantly of all, especially given the number of banks and credit card companies involved is: never, ever, EVER put your social security number into a link that you clicked on in an email.

I cannot even once think of a legitimate bank or credit card email requiring this.

And lastly, lest it go unsaid, use an Internet security suite. The best ones include good anti-phishing and malicious website filters.

While nothing is perfect, between the filters built into today's top web browsers and top Internet security software, you can offset the threat posed by scammers, the emails they send, and the sneaky websites they setup.

10/08/2009

Largest Phishing Ring Busted by FBI

Exciting news today in the fight against phishing: the FBI has charged over 100 people with that the Director is calling, "the largest international phishing case ever conducted."

There are some interesting details of this phishing ring bust including:

  1. U.S. Financial institutions were targeted
  2. Involved criminals in the U.S. and Egypt
      53 charged in the U.S.
      47 charged in Egypt
  3. Hundreds, possibly thousands of accounts were affected
  4. Approximately $1,500,000 stolen from affected accounts

Phishing is a particularly nasty crime because of the indiscriminate way it targets its victims and because the crime often goes unnoticed lengthy periods of time.

Imagine you get an email warning you that there's something wrong with your bank account or credit card. The email looks, sounds, and feels just like the real emails from your bank.

You click a link in it, and you're on your bank's website (or so you think...)

Sometimes, these phishing sites really do completely mimic the bank, so that the next thing you know this site, that looks so much like your bank to you has confirmed your details and is apologizing for the inconvenience and thanking you for your time.

Huh. That's it, and you go on with your day.

Just that fast, someone has your banking information and has transferred money out of it or purchased something on your credit card. Heck, maybe they even opened up a credit card or two in your name.

Whatever the case, when it comes to phishing there is good software today that, while not perfect, does help make the risk of being snagged by a phishing attack quite a bit lower.

The first place to start is with antivirus firewall software or an Internet security suite. There's no question that no software is completely foolproof; however, compared to the cost in time, money, and heartache of repairing your credit and getting your good name restored, the sticker price of even the priciest security software is really very, very low.

As for the cybercriminals in the U.S., they've been charged with:

  1. conspiracy to commit bank fraud
  2. computer fraud
  3. money laundering
  4. aggravated identity theft

Sounds like the FBI is throwing the book at 'em. And rightly so. According to the article, The bank fraud alone could lead to jail sentences of 20 years.

While that won't help restore the victims' good names or help them get their money back, at least the criminals are likely to be locked up for a long, long time.