Phisher Kings Court Your Trust
"Lawsuit against you," reads the subject line in an e-mail that hit thousands of in-boxes around the world last month. In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office. Citing U.S. civil code, its prohibition on sending junk faxes, and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax.
"If you do not pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the document attached to the e-mail.
In today's litigious -- and digital -- society, being notified of a lawsuit via e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that preys on deep-seated fears of being hauled into court. Its target: unlucky recipients who may indeed be among thousands of companies that send junk faxes.
The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates (see BW Online, 4/10/06, "This Bug is Nasty, Brutish and Sneaky").
"This is one of the most innovative ideas used by spammers to target unsuspecting users," says Govind Rammurthy, chief executive of computer security firm MicroWorld Technologies, which sent out a warning about the lawsuit.exe scam in March.
As Web-based scams proliferate, it's often psychological cunning, deployed on top of surreptitious code, that is the secret to cyber-criminals' success. Like traditional con men on the street, Internet fraudsters need a never-ending supply of ways to convince victims to trust them -- to open an attachment, click a link, or innocently enter personal data on a Web page.
IN YOUR HEAD.
Overpowering instincts, rather than firewalls, is the surest means, say analysts, to pickpocket personal identities and online bank accounts. "You can't install a software patch for a person's mind," says Barry C. Collin, chief executive of cyber-security consulting firm Threat and Risk Associates.
In fact, security analysts say hackers are spending serious effort in researching the psychological vulnerabilities of potential targets. Security firm TrendMicro's director of global education, David Perry, says they watch news headlines for poignant world events and often review the success of an attack by reading press releases and corporate warnings, in order to tweak the next attack for greater effectiveness.
Hackers also look for situations of confusion to exploit, such as a corporate merger. For example, at Vigilar's Intense School in Ft. Lauderdale, Fl., where they train people in ethical hacking to help fortify digital defenses, they use a bogus e-mail from someone pretending to be a helpdesk employee trying to verify account data for a database that is being combined in the wake of a merger.
"There is a lot of implied trust that you can manufacture -- and exploit," says Ralph Echemendia, an info-tech security instructor at Vigilar's. Echemendia used the 2004 merger of Wachovia and SouthTrust as a model to deploy the script and tap merger chaos.
Analysts say phishing attacks also often spike after a data security breach hits news headlines. The reason: Customers are already anticipating a potential request to update account data and monitor credit reports.
"It makes them more vulnerable to psychological scams," says Herbert H. Thompson, chief security strategist for Security Innovation.
Take the case of a phish targeting Citibank customers this year. To build trust, it operates in two phases, say analysts.
First, an e-mail purportedly from Citibank (C) warns that customer accounts may have been compromised in a previous scam. But it doesn't ask for personal information.
Instead, the scam requests an e-mail address, just in case the victim's account is found to be hacked. Then, later, a second phish is sent out warning that, indeed, the account has been compromised -- and requests an update of financial details.
"Trust was built in the first step. Then, in the second step, they asked for confidential information," says MicroWorld's Rammurthy, who estimates some 60% of victims who received the second e-mail provided personal and financial data (see BW, 1/9/06, "Gold Rush").
Indeed, with overall returns from phishing attacks falling, Web criminals are succeeding in finding novel new ways to convince users to open documents or click links that download data-stealing software onto PCs. Instead of directly asking the user to enter personal data into a fake Web site, cyber-criminals are embedding code into fake news articles or business-oriented "requests for proposals" which, when opened, install a backdoor into the PC, then log keystrokes. Russian security firm Kaspersky Lab estimates the use of data-stealing code designed specifically to steal financial information, known as Trojans, rose 402% in 2005.
SHARING THE STEALTH.
The upshot: Fewer people are, themselves, coughing up personal info, but fraud losses continue to climb. A 2005 survey by Gartner (IT) found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web still rose from $690 million in 2004 to $1.5 billion last year. "If I'm a scammer, I have to do something that will make you trust me," says John Pescatore, senior vice-president of Internet security at Gartner.
Law enforcement agents say that while the thinking behind cyber-scams is not much more complex than age-old cons run by offline grifters, it's clear cyber-criminals are pooling their brainpower to devise new techniques. A DVD available in foreign black markets called "Hacker's Handbook" contains scores of tips on how to trick victims, according to Trend Micro's Perry.
Former hacker Kevin Mitnick, who now runs his own security consulting firm, hosts a two-day "social engineering" conference for clients that includes sessions entitled "Bugs in the Human Hardware." At hacker sites such as mazafaka.ru and astalavista.box.sk, criminals often share ideas on how, for example, to exploit new state laws in the U.S. requiring firms to issue warnings when customer databases have been hacked.
Some scam artists still plot the old-fashioned way: by holding physical court. Law enforcement agents say Nigerian fraudsters often gather in Internet cafes in the country's capital, Lagos, to concoct the newest bait.
Famous for pioneering so-called 419 letters -- pleading e-mails from bogus foreign businessmen seeking to move money out of their country by tapping U.S. victims' bank accounts -- the Nigerian scammers are now establishing romantic relationships in online dating Web sites in order to dupe lonely love interests into giving up financial information.
"It's group brainstorm," says Gregory S. Crabb, a senior investigator for the U.S. Postal Inspection Service in Washington, D.C., who has hunted cyber-criminals around the world. (see BW Online, 5/30/05, "Hacker Hunters").
Hackers are even finding ways to take the pain out of writing malicious code, a move that may enable more concentration on upgrading the psychology of the cyber-scam. On Mar. 24, security firm Sophos said it had discovered a Russian Web site selling a spyware kit called WebAttacker for less than $20. The pre-fab software downloads a program that tries to turn off PC firewalls, then installs a keystroke-logging device.
Already, it has been spammed-out via e-mail touting news stories about bird flu and the recent death of ex-president of Serbia, Slobodan Milosevic. The technical skills required to be a cyber-criminal have been removed as an entry-level barrier. "In order for the cyber-crime business to continue, it is going to rely more and more on social engineering," says Ron O'Brien, senior security analyst at Sophos.