New Variations on the Theme of Phishing
By Mark Kemmerle, Enterprise Information Security Director, OIT
Isaak Walton first published The Compleat Angler in 1653, but he continued to add to his encyclopedia of fishing through five editions over almost 25 years. I feel a little bit the same way about notes on variations of computer “phishing” scams. Every week the OIT Customer Support Help Desk receives reports and inquiries about suspicious emails that arrive in state email accounts. A few of the suspicious ones are legitimate, but many are scams that have been recycling around the Internet in one variation or another for years.
Recently, however, email “phishing” attacks have grown increasingly clever. They combine old features with new, but the result may be just unfamiliar enough to lure in a few new victims. Here’s an update to help you avoid falling prey to some of the new phishing variations -- don’t take the bait.
Targeted phishing attacks that are aimed at a selected group of individuals have become known as "spear phishing." These attacks have increased over the past several years. While ordinary phishing is usually mass-emailed to as many email addresses as can be gathered, spear phishing, is directed at customers of a specific bank, mortgage lender, or other type of organization -- often a financial organization of some kind.
And it's not just consumers who are targets of spear phishing attacks. Specific corporate employees are being targeted by criminals in attempts to gather corporate banking information and customer databases. Many of these attacks target high-profile individuals and others whose email addresses may be published on corporate websites. Government agencies and government employees have been victimized by this type of targeted attack, so be on the lookout while using your State of Maine “dot gov” email account.
A Real “Trojan” Horse – an Email containing a Link to a Malicious Website
In an increasingly popular method of attack, the potential victim --you -- receives an email message that seems legitimate. By clicking on a link inside the e-mail, you're taken to a spoofed Web site which immediately begins to download malicious software to your computer. Your anti-virus might kick in at this point and block the download, but if it doesn't, well, you're toast, as the IT security professionals might say.
You can also be prompted to download an updated version of Flash Player or Quicktime to view a file. When you go to "update" your software, whoops! Gotcha! The bad guys have just installed keylogging software on your computer which they can use to harvest your credit card numbers, user IDs, and account passwords, including input to secure websites.
Phishing Using a Business Link for a Hook
Recent phishing schemes have also targeted businesses using services such as Yahoo! or Google AdWords or PayPal. Customers are sent e-mails advising them that their accounts require updating. The user is provided a link connected to a spoofed website where they asked to confirm or provide credit card information, which is then stolen and misused.
State employees shouldn't be likely victims of this type of scam while at work, but we have seen solicitations which claim to be from webmail providers, which state employees might mistake for a message from the OIT email administrators. Remember, though, the messages tend to be generic and, at work, you can always call OIT Customer Support at 624-7700 to report or discuss a suspicious message.
Economic Woes Create a Climate for Fraud
Economic uncertainly also creates opportunities for criminals and scammers. Similar to the “business link” attack outlined above, a phishing email might seem to come from a bank that has recently merged with or taken over your bank, your savings and loan, or your mortgage company. Mergers and acquisitions can be confusing. Timing the messages correctly can give the crooks the appearances of legitimacy. You’re asked to confirm financial information because of a change in bank ownership or management. Don’t. Be careful. Look up your financial institution’s contact information using an independent source. (Not the contact number or email address provided in the message.) The recent widespread uneasiness about financial institutions has created a situation where cyber-crooks can profit if you let your guard down.
Mobile Phone Phishing Scams that Use Text Messages Instead of Email
Now that we're all increasing tied to our cell phones, phishers are using SMS (Short Message Service, or "texting") the same way they use e-mail to get at confidential personal and financial information.
Sometimes called “smishing” to differentiate the behavior from phishing (or just because it sounds weird), a typical scam starts with a text message informing you that your bank account or debit or credit card may have been compromised or maybe that your ATM card is showing some suspicious usage. From there, you're instructed to text or call a number where you'll be asked for credit card or bank account information or perhaps the PIN number for your debit card.
Man-in-the-Middle Attacks on “Secure” Websites
Recently, sophisticated malware has been created to impersonate a secure https:// web session, the kind with the little lock that lets you know you're "secure." Cyber criminals can interrupt an encrypted data stream, impersonate you to a secure site and impersonate the secure site to you, using what appear to be legitimate certificates.
Maine in the Middle (MITM) attacks are very hard to spot, and can generally only be detected using IP packet inspection tools to determine exactly where your information is going to on the Internet. But there is some good news. If your browser warns you that the digital certificate being used is not valid, you may be the victim of a MITM attack. This is especially true if you are following a link from an email you received, even if the source appears legitimate.
If your browser warns you about an invalid certificate when you’ve clicked on an email link, you should back out of the transaction and cancel the activity immediately. Then contact the bank, store, credit card company at an address you find independently – on the back of your credit card, on your monthly billing or account statements, somewhere outside the original contact.
All these new attacks are variations on a familiar theme. You as a consumer can’t possibly stay informed on each new variation, but if you’re cautious and alert, you should be able to keep yourself out of harm’s way.
A link to this article will be maintained on the OIT Enterprise Security intranet webpage at:http://inet.state.me.us/oit/services/CoreTechnology/security/index.html