/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThe subject line in an e-mail that hit thousands of in-boxes around the world
last month reads, “lawsuit against you.” In flawless legalese, the message
warns recipients that they recently sent an unsolicited fax to the sender's
office. Citing US civil code, its prohibition on sending junk faxes, and an
actual $11 mn settlement by restaurant chain Hooters, the missive threatens a
lawsuit over the alleged junk fax. “If you do not pay me $500 by the deadline
for payment, I intend to sue you for violating the Telephone Consumer Protection
Act,” it reads. “If you force me to sue, I will not settle for less than
$1,000.” Details of the alleged lawsuit are contained in the e-mail's
attached document.
Psyched Out
In today's litigious and digital society, being notified of a lawsuit via
e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that
preys on deep-seated fears of being hauled into court. Its target: unlucky
recipients who may indeed be among thousands of individuals and companies that
send junk faxes. The attachment -- labeled lawsuit.exe -- contains a new variant
of a computer worm called Bagle. When worried victims open the attachment,
malicious code embedded in its text downloads onto their PCs and swiftly
harvests all their e-mail addresses to send out even more spam. That second wave
uses the victim's personal e-mail address to send malicious code disguised as,
say, a pitch for a Paris Hilton sex video, to friends and associates. “This is
one of the most innovative ideas used by spammers to target unsuspecting
users,” says Govind Rammurthy, chief executive of computer security firm
MicroWorld Technologies, which sent out a warning about the lawsuit.exe scam in
March.
/dq/media/post_attachments/6c96daa1ccdfc6dc9096c49c495cdcab0e50aa52f74abcecccacd5d1a8a3fc02.jpg)
As Web-based scams proliferate, it's often psychological cunning, deployed
on top of surreptitious code, that is the secret to cybercriminals' success.
Like con men on the street devising new tricks, Internet fraudsters need a
never-ending supply of ways to persuade victims to open an attachment, click on
a link, or innocently enter personal data on a Web page. Bypassing mental
barriers, rather than software firewalls, is the surest means, say analysts, to
pickpocket personal identities and online bank accounts. “You can't install
a software patch for a person's mind,” says Barry C Collin, chief executive
of cybersecurity consulting firm Threat & Risk Associates.
In fact, hackers spend serious effort to research the psychological
vulnerabilities of potential targets, according to data-security analysts. They
watch news headlines for emotional or worrisome world events and often review
the success of an attack by reading press releases and corporate warnings in
order to tweak the next attack for greater effectiveness, says security firm
Trend Micro's director of global education, David Perry. Analysts say
“phishing” attacks often spike after a data security breach makes headlines.
The reason: Customers are already anticipating a potential request to update
account data and monitor their credit reports.
A scam involving Citibank earlier this year shows how far tricksters will go
with their mind games. To build trust, it operates in two phases, say analysts.
First, an e-mail purportedly from Citibank warns that customer accounts may have
been compromised in a previous scam. But it doesn't ask for personal
information. Instead, the scam requests an e-mail address, just in case the
victim's account is found to be hacked. Later, a second message is sent out
warning that, indeed, the account has been compromised. That message requests an
update of the victim's financial details. “Trust was built in the first
step. Then, in the second step, they asked for confidential information,”
explains MicroWorld's Rammurthy. He estimates that some 60% of victims who
received the second e-mail provided personal and financial data.
Indeed, with overall returns from phishing attacks falling as people grow
more wary of them, Web criminals are finding novel ways to persuade users to
open documents or click links that download data-stealing software onto PCs.
Instead of directly asking the user to enter personal data into a fake Web site,
cybercriminals are embedding code into fake news articles or business-oriented
“requests for proposals.” When opened, they install a back door into the PC,
then record and transmit the user's keystrokes, including sensitive
information such as names and passwords.
|
With |
The upshot: Fewer people are coughing up personal info, but fraud losses
continue to climb. A 2005 survey by Gartner found that just 2.5% of phish
recipients responded with personal or financial information, down from 3% in
2004. But fraud losses connected to the theft of such information off the Web
rose from $690 mn in 2004 to $1.5 bn last year. “If I'm a scammer, I have to
do something that will make you trust me,” says John Pescatore, vice-president
for Internet security at Gartner.
$20 Tutoring
Law enforcement agents say the thinking behind cyberscams is not much more
complex than age-old cons run by offline grifters. However, they add, it's
clear cybercriminals are pooling their brainpower to devise new techniques. A
DVD available in foreign black markets called Hacker's Handbook contains
scores of tips on how to trick victims, according to Trend Micro's Perry. And
former hacker Kevin Mitnick, who now runs his own security consulting firm, has
hosted a two-day “social engineering” conference for clients that outlines
hackers' techniques and includes a session entitled “Bugs in the Human
Hardware.”
It's not just the growing ranks of scam-wary Web surfers that have hackers
seeking ever more clever techniques. They also have to hustle to stay ahead of
an ever more crowded field of competitors. It's becoming easier than ever to
get into cybercrime. On March 24, security firm Sophos said that it had
discovered a Russian Web site selling a kit called WebAttacker for less than
$20. The software in the kit downloads a program that tries to turn off PC
firewalls, then installs a keystroke-logger. Already, WebAttacker has been shot
out via spam that promotes news stories about bird flu and the death of former
Serbian President Slobodan Milosevic.
The upshot is that increasingly it's psychological cunning, not
code-writing skills, that make for a successful hacker. “In order for the
cybercrime business to continue, it is going to rely more and more on social
engineering,” says Ronald J O'Brien, senior security analyst at Sophos.
By Brian Grow