Thursday, April 24, 2008

E-mail Hijacking / Friend Scams

How it was done?

Furtherance to the email I received from Anthony Lammert, I just would like to elaborate a little bit of what he meant by “Only an artful 'IT savy tech’ person would be able to circumscribe 'through the back door' to obtain such data!” The technique used to obtain data from the back door is called phishing or key logger. For the benefit of readers who are not familiar with the terminology, I have the pleasure to provide a little bit of information on E-mail Hijacking / Friend Scams as what happened to our unfortunate friend a couple of days ago.

Some fraudsters hijack existing e-mail accounts and use them for advance fee fraud purposes. The fraudsters e-mail associates, friends, and/or family members of the legitimate account owner in an attempt to defraud them. This ruse generally requires the use of phishing or keylogger computer viruses to gain login information for the e-mail address.

Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition, like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait

Phishers use a number of different social engineering and e-mail spoofing ploys to try to trick their victims. In one fairly typical case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from America Online that said there had been a billing problem with recipients' AOL accounts. The perpetrator's e-mail used AOL logos and contained legitimate links. If recipients clicked on the "AOL Billing Center" link, however, they were taken to a spoofed AOL Web page that asked for personal information, including credit card numbers, personal identification numbers (PINs) , social security numbers, banking numbers, and passwords. This information was used for identity theft.

A phishing technique was described in detail as early as 1987, while the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of financial information and passwords. The word may also be linked to leetspeak in which ph is a common substitution for f. Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term "whaling," has been coined for these kinds of attacks

The readers are advised to be suspicious of any official-looking e-mail message that asks for updates on personal or financial information and urges recipients to go directly to the organization's Web site to find out whether the request is legitimate.

No comments: