- Worldstart's Tech Tips And Computer Help - http://www.worldstart.com -

Personalized Phishing

25 May 2005

If you want to catch bigger fish use better bait. Most of you by now have heard of or witnessed phishing scams. I have personally written two articles in the past couple of months describing what phishing scams are and how to avoid or spot them.

Just to get everyone up to speed on this subject I’ll go over the basics of phishing. Phishing is usually some sort of scam that is designed to grab user names, passwords, any sort of account information regarding vast array of different businesses. This is done by sending out a large number of emails with some message from a trusted site such as ebay or PayPal requesting your username and password to fix some sort of account issue.

This is a numbers game—hackers send out tons of these emails in hopes that it will apply to and ensnare a percentage of unaware individuals. To the majority of recipients the emails either seem completely odd considering they don’t have an account with that company or they are well informed and know not to ever send this information out when requested via email. So as with most security issues common sense is the best defense.

Well, phishing recently has raised the bar: security company Cyota has discovered a new technique to add false legitimacy to their emails in hopes of fooling those that otherwise would sidestep the attack. This new method involves using user specific information—information that does apply to the user, not merely some random email that may or may not apply or even make since. The report from Cyota also stated that most of these Tailored emails attempted to conceal themselves using the vale of your financial institution, such as your bank.

Some web crawler harvests the addresses from the institution or business, the hacker can then send out the tailored messages to these addresses, which should give them a greater chance of success. From here it’s pretty much the same old game: an email wanting you to verify some information about your account. Key logger programs send a log of every keystroke made while responding to the bogus email.

It doesn’t stop there either—once the hacker has your information, who knows what’s next? They could sell the information to another party or who knows, they may have plans of there own. Either way it stinks!

Although this attack is created for specific users, the way to protect yourself hasn’t changed: Never under any circumstances give out your personal information to an email requesting it. Your bank will never send you an email like this, in fact I don’t know of a business that would. If you do get an email like this, go out to the company’s website and log in (not through the link in the email) and see for yourself what’s going on.

Keep this in mind, and you shouldn’t have to worry about being a victim, forget it and there may be a heavy price to pay.

Stay safe out there,

~ Chad

Chad Stelnicki