Staying out of trouble online and protecting your personal details should be pretty easy right? Not anymore. Hamish Anderson blogs about how easy it is to be duped by online scams that appear to come from trusted and recognisable sources.
Staying out of trouble online and protecting your personal details should be pretty easy right? Many people believe this and that it’s only fools who get caught out by phishing and similar scams. Whilst this may be right to an extent, sadly this is not entirely the case.
In July 2010, it was reported that Australians lost $1.286 billion to online scams and that 1 in 10 Australian’s had at one time or another, been a victim of a scam (and that is only the people who admit to it). This figure is quite phenomenal really. However, in many ways it is hardly surprising. The increased sophistication of online scams, the growing realism and depths scammers will go to (such as spear phishing) makes it more understandable as to why cyber thieves are having more success. In fact, trends from 2011 show that there was an increasing trend for scams to take advantage of trusted sources (a source you would not ordinarily question due to its reputation) to improve the realism of the scam; “Source Doping” as we’ve taken to calling it around the office.
Unfortunately Source Doping is not new and neither is it confined to one technique, in fact three different methods spring to mind.
Using Cloud Based Providers
A few days ago it was reported that a new phishing scam was doing the rounds. The scam in itself was not necessarily unique; cyber criminals pretended to be the ANZ bank updating their security in one scam and in another pretended to be a US based high school updating their online portal. As is de rigueur with phishing scams, both emails led the recipient to a micro-site where they were required to enter in a variety of personal data.
What made these particular scams a little different to the run-of-the-mill scam is that the criminals took advantage of the Google Docs free suite of products to make the scam seem that little bit more authentic. By using the google.com domain for attachments and the like, many recipients would be immediately put at ease. Not only that, but by using Google Docs the thieves get to use HTTPS protocol, are not charged and many of the steps in the back end can be automated.
From a user’s perspective, the email – if well written – looks real and on cursory glance has a number of authentic factors which would minimise the chance of suspicion.
Man-in-the-Mailbox Doping
We have all at some stage or another made a typo when writing an email address. Take solace in the fact you were likely not the first to, and won’t be the last to. However, did you realise that would be thieves and scammers are increasingly waiting for you to make such a mistake for their own personal advantage?
Man in the Mailbox attacks basically seek to exploit user error – typos – allowing them to access emails not intended for them, and to engage in conversation with target companies for the purpose of collecting information required to either hack the internal network or conduct a phishing attack. It basically works like this: Hackers purchase domains which are very similar to existing corporate domains, and which on brief inspection look like a legitimate domain. It may be that they buy a domain which uses slightly different syntax (eg a hacker may purchase the domain www.victoriasecret.com.au which is different yet very similar to the legitimate www.victoriassecret.com) or they buy a domain with a common spelling mistake (eg www.greysonline.com vs www.graysonline.com).
Once the thief has acquired the domain they desire they wait for an unsuspecting victim to send an email to the wrong domain. Once they have it they begin to email back and forth, often acting as a go-between, linking the sender and the desired recipient. In doing this they collect valuable data which can be used later to either penetrate the target network or embark on a spear phishing campaign armed with a large amount of knowledge.
Hacked Accounts
Have you received an email from a friend or colleague asking you to help them in a tight spot? Perhaps they are overseas and have lost their wallet/luggage and need money to get home. Maybe they are embarrassed they had gambling debts and pawned their partner’s heirloom and need some cash to buy it back. Whatever the contents, chances are you have seen an email like this in the last year.
In 2011 there was a high incidence of public domain email addresses (Hotmail, Yahoo! Mail and Gmail) being hacked and emails similar to the above being sent to the address books of the hacked account. The recipient was meant to show sympathy for the victim and reply. The sender would then provide back details and voila, money would be sent to the thief. A simple process, but one which was prolific and which no doubt duped some recipients.
Protecting Yourself
Protecting yourself against cybercrime is not always easy, especially as the sophistication of scams improves, but as we have stated before, always question the legitimacy of an unsolicited email. If you receive an email from a trusted source, and it seems out of character, call the sender and verify the details before continuing. At the end of the day three (3) simple steps can help you:
- Question – Ask yourself why you would receive this email
- Authenticate – Look at the URL of destination pages by hovering over links, check the URL against a page you type into the browser yourself. Also, randomly check your email address book to check for typo’s and errors
- Eliminate – If the email is found to be of a dubious nature, deleting it is not good enough. Attack the source by reporting the email address (move to Junk, flag as Spam etc). If there are enough reports, the sender will be found out and spam rules updated to protect users into the future.
Lastly, as in all things regarding business, exercise caution and good common sense, these two things will save you time and time again.