I’m Rich…

… OK, so there is a few flaw in the plan, namely that I need to reply to someone in Singapore who has discovered some dormant investment accounts and I can get 25% if I help them get at the money. All sounds too familiar? Yes, it is that old phishing scam that we know and love however the twist here is that the letter arrived to my home address - it’s the same words as you would find in the ‘traditional’ email variety, just printed out and put in an envelope.

I wonder how many people will fall for this version… none I hope… and in the mean time it will cost the scammers the price of printing and posting - with luck they will be out of business shortly.

 

June 2, 2008 | Filed Under Spam | 1 Comment 

The Fine Art Of Zippering…

… or ‘enrichment’ as it is sometimes known. Zippering is where you take data from multiple sources and put it together to create something more meaningful. It is usually used in the ‘phishing’ sense, where cyber criminals gather the information to put together a targeted attack (aka spear phishing). However, there is a call to collect all sorts of information in a single database but there are a number of problems - not withstanding the privacy ones!

Firstly, if someone gets hold of all the information, they need look no further as it is a treasure trove for phishers. Secondly, when zippering information it is vitally important that the pieces relate to a specific individual - and this is the tough part. Imagine if it is done based on name… oops… too many John Smith’s out there… what about address… umm… well there are quite a few people at the same address who have different email addresses… by phone record… pay-as-you-go. Email… cyber cafe’s. The list of potential problems is vast. If you do get it wrong the consequences for an individual can be disasterous. There was recently a case where a stolen credit card was used to download illegal material - and the card owner was accused and it, to all intensive purposes, destroyed his reputation and his life.

So… if we are going to collect vast amounts of information it needs to be secure AND accurate - and failure on either of these counts, is not (as the saying goes) an option.

May 28, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment 

Phishing From A Great Height

Most people think of phishing as something which is done across millions of people at a time - and only the daft fall for it. However, this is not always the case - how about going for CEOs? CEOs are busy people and when they get an email about a subpoena in a civil case then you end up fooling a few. This happened this week as reported in the NY Times and just points to how crafty the cyber criminals are getting. The email looked official, with official looking graphics and a link to a site with the full details. Of course if you followed the link - and you didn’t have up to date anti-malware you got infected with a nasty keylogger.

What could the CEO have done? The obvious comment is that they should have checked the content and the validity. BUT… who has the time to do that? In this case the fear factor from a social engineering perspective comes into play and the knee-jerk reaction is tough to control. However, that is what you need to do - if you receive an email which you were not expecting then sit back and think about it. We live in a world where people think they should respond to email instantly - sometimes a little additional thinking time would help. In this case there were names and addresses - it looked real, but there were no telephone numbers - and would the district court rely on email to issue a subpoena? No… if it was that important it would come via the mail, probably as a registered letter. So, there were a few pointers that should have raised alarms. The truth is that everyone needs to remain vigilant - and become a little more wary of unsolicited and unexpected email.

As for a catchy term for this new kind of phishing… Whaling… after all, this is all about going after the biggest fish in the sea. (I know, whales are mammals… but you can’t have it all!)

April 17, 2008 | Filed Under Reputation, security | Leave a Comment