By Ray Dickenson
E-Commerce Times
Part of the ECT News Network
03/15/09 4:00 AM PT
In these difficult economic times, it's
disheartening to know that there are people out there who want to take
advantage of our fear for their own nefarious gain. Ray Dickenson, CTO
of security firm Authentium, offers some tips for avoiding these
hard-times scams.
Everyone knows cyber-crime is a cat and mouse game, usually involving a bit of social
engineering to trick unsuspecting computer users into clicking a link,
installing some software
or providing valuable information. The latest trick in crooks' bags:
"recession malware." This is a new generation of malware that exploits
consumers' financial woes and other recession-era problems. It's
trapping consumers and businesses alike.
No one has to say times are tough -- mortgages under water, cratered
retirement accounts, massive layoffs ,
and forecloses are evidence enough. Perhaps not surprising, criminals,
including cyber-ciminals, are finding opportunity in others'
misfortunes. Here are some examples of the newest dark, yet ingenious,
schemes recently uncovered.
The Bogus Job
This one is cruel. With the unemployment rate at 7.6 percent, the
highest since 1974, job seekers are more desperate than ever to find
work. They're more likely to click any and all e-mails responding to
their online application and offering open positions. But some of the
messages are scams. Here's an example:
Subject: Shipping coordinator needed in U.S. for overseas
company
Make US$40,000 a year managing our orders from your home. You
must have an e-mail account.
Say a job seeker applies and gets the job. Now the scammers will ask
for a bank account number. Their pretext is that they need it so the
user can quote business using the account. If the new hire provides the
account information they may next find themselves involved in illegal
money laundering from offshore criminals who just need an American
citizen with a bank account.
The Phony Windfall
These e-mails are also very appealing when money is tight:
Subject: RE YOUR INHERITANCE FUNDS
ADDRESS: WARK BRIDGE, SE 19 HL UNITED KINGDOM
PHONE NUMBER: +44-702402658
I wish to notify you again that you were listed as a beneficiary
to the total sum of GBP £11.2000,000.00 (Million pounds sterling
) in
the codicil and last testament of the deceased (Name now withheld since
this is my second letter to you).
Please follow this link to claim your inheritance.
The link might then open a form that requests a Social Security
number, bank account number, birth date and more. But it's actually a
phishing e-mail fooling consumers into giving away their identity.
These e-mails are similar to the popular Nigerian 419 scams of the
'90s. Named after the Nigerian statute that covers the crime, these
e-mails appeared to be from Nigerian officials. They claimed recipients
would receive millions of dollars as part of an investment program, if
they send an "advanced fee." In reality, no money was transferred and
users lost the money they sent.
The M & A Malfeasance
This one capitalizes on the possible brand confusion following bank
mergers and acquisitions. Here's an example that plays off Bank
of America's (NYSE: BAC)
acquisition of Merrill Lynch last year:
Subject: Merrill Lynch account
verification
Dear Merrill Lynch customer,
Due to the recent acquisition of
Merrill Lynch by Bank of
America, your Merrill Lynch account must be reestablished. Please click
this link to reestablish your Merrill Lynch account.
The link might provide a form requesting banking credentials. Or it
might download a virus, keylogger, trojan, or other identity-stealing
malware.
However, for any of these malware scams to work, users must click
the e-mail links or submit personal information. Simply receiving the
message usually won't harm the computer, user or business.
Theoretically, then, the best way to avoid attack is to not click these
links and provide the information requested.
But theory isn't always reality, proven by the millions of ID theft
victims and billions of dollars lost to malware attacks. Other
precautions must be implemented to form a solid shield against
cyber-criminal campaigns. Here are some guidelines.
Be Skeptical
Always be wary of any message that requests payment, banking
details, or personal information. Banks and other organizations that
store private data virtually never ask for this information over email.
They'll call or mail a paper letter.
If you receive an e-mail requesting this information, however, it's
best to call the organization and ask if such a message was sent. If
the answer is no, the message is a scam. Delete it. If the organization
did indeed send the message, it's still wise to provide the information
while you're on the phone, rather than in e-mail.
Verify Identities
Trust is difficult to establish online. Remember Peter Steiner's
famous cartoon with two dogs at a computer? One dog was saying, "On the
Internet, no one knows you're a dog." Just because an e-mail appears to
be from a certain party, doesn't mean it is. Nigerian 419 scams
illustrate this.
When receiving e-mails that purport to be from banks, government
bodies, etc., verify identities. Look for the sender's phone number in
the message, and call him/her to discuss it. Check the phone book or
other independent listings to ensure the number is legitimate. Do not
reply in e-mail. The key is to take the correspondence off line to a
medium where you can verify the sender's identity and message's
legitimacy.
Get a Second Opinion
If you're unsure of a message's legitimacy, ask someone you trust.
Show the e-mail to them, and see what they think. If it's a widespread
scam, there's a chance other people you know received the message or a
similar one.
If you're still not sure, err on the side of caution. The old adage
holds fast: If the message sounds too good to be true, it probably is.
Just delete it.
Immunize Yourself
If users still click a link, however, it's important to have
back-up. Security and fraud prevention technologies can serve as an
immunization layer to protect users from the consequences of malware
attack. Some of these precautions are staples, such as ensuring
antivirus and antispyware software is up to date and the firewall is on.
But even these technologies aren't fool-proof. Certain Web browsing
security tools are designed to supplement them, so that in the event
antivirus fails, private data is still protected. These secure browsers
work by rendering malware ineffective, which blocks key-loggers,
screen-scrapers, and other malware agents from accessing and stealing
data.
Above all, though, it's crucial to stay informed. Know what the
latest scams are, and be prepared when suspicious e-mails hit your
inbox. Cyber-criminals are becoming increasingly sophisticated and
specialized. Education will help users avoid becoming the next victim,
whether the economy is up or down.
Ray Dickenson is CTO of Authentium,
makers of security software solutions.
|
