Security Breaches Strengthen Spam Campaigns

Spam artists armed for spear-phishing attacks: Internet Scambusters #440

Security breaches and selling of email addresses can lead to an onslaught of email spam and open the way for a particular evil form of information theft — spear-phishing.

Armed with relevant information, crooks can present a much more convincing case to trick victims into handing over their confidential information.

One simple rule will help you avoid falling victim but you may want to tighten up on your own security with new email addresses and passwords, as we explain in this week’s issue.

Now, here we go…


Security Breaches Strengthen Spam Campaigns


The ups and downs of the war against spam have been thrown into sharp focus by major incidents during the first half of the year, emphasizing the need for unflagging vigilance against spammers and scammers.

Over the years here at Scambusters, we’ve warned subscribers against responding to any kind of spam, but the flow of unwanted emails continues unabated and, as recent incidents have shown, some of this flood is potentially very dangerous indeed.

You may want to check out some of our earlier reports to remind yourself both of the risks and what you can do about them, before we go on to discuss the latest situation.

Stop Spam!

Spam: 10 Ways To Reduce It From the Editors of Internet ScamBusters

In one recent report, Spam Update: How You May Unknowingly Be Contributing to the Spam Problem, we highlighted the growth in the use of “zombie” PCs or “botnets” — networks of machines that, unknown to their users, have been taken over by scammers and used to send out spam.

In this area, software and security groups scored a big victory in March when they forced the shutdown of one of the biggest botnets, known as Rustock, which once broadcast about 50% of all the world’s spam messages.

But the taste of victory didn’t last long, followed as it was by a big security breach when hackers broke into the databases of a company, Epsilon, that handles email marketing for 2,500 commercial organizations including banks and retailers.

If you do any shopping or financial transactions online, you almost certainly got one or more messages from some of those organizations telling you the hackers managed to steal combinations of email addresses and their owners’ first and last names.

This opened the way for a particularly evil type of email spam that we’ve also reported on in the past — known as “spear-phishing” — in which spammers are able to target named individuals with better than normal chances of tricking them into giving away personal, confidential information including password and account details.

This latest incident means that in addition to being able to just send out general spam to current, confirmed email addresses, crooks may also know which companies we do business with.

Now, they can more convincingly spoof emails from those companies to their clients, in which they phish for that confidential information that they use for identity theft.

Spear-phishing is particularly effective because the victims are actually used to getting messages from the companies they deal with, often letting their guard down and breaking the golden rule by clicking on links that take them to bogus sign-on pages.

Mouse Points to Hidden Address

Even before the Epsilon incident, a member of the Scambusters team received what seemed to be a financial transaction notification from a company she deals with.

The message bore the company’s logo and actually carried some genuine links to its pages. But one link, supposedly to details of the transaction, would actually have taken her to a scam website in Russia, which has now been taken down.

The Scambusters member did not click the link. Hovering her mouse pointer over the link address (which also appeared genuine) revealed it to be quite different from the one actually shown in the message.

In the Epsilon incident, many of the affected companies (but not all) have sent out warning messages to customers urging them not to click on links or open attachments in messages that purport to come from them.

Of course, it’s not just theft that enables crooks to get their hands on live customer names and email addresses. Some companies will happily sell the information.

Recently, in the UK, for instance, police shut down a number of price comparison sites that were selling email addresses of people looking for particular products.

They weren’t necessarily selling them to scammers but their activities show just how easily email addresses are traded on the Internet and how they can fall into the hands of email spam artists.

The companies also insisted that they made clear on their sites that the information might be passed to “third parties” but invariably this declaration was hidden in the small print.

If you follow our “golden rule” about never clicking on links and, instead, keying in the Internet address of the company independently in your browser, you shouldn’t get caught out by this type of spear-phishing.

And you should always use Internet security software that includes a spam filter, which likely will pick up bogus messages.

But here are a few other things that should arouse your suspicions:

  • Getting a marketing message from a company you deal with that normally only sends out a regular email like a monthly statement.
  • Being asked to click on a link, when the company normally does not ask you to do this.
  • Seeing a different address to the one shown in the message when you hover your mouse over a link.
  • Any request for you to provide confidential information.

An additional danger is that armed with your full name and email address, crooks might also try to log on to your accounts at online financial and retail organizations like PayPal and Amazon.

In this case, they use their expertise at guessing passwords, many of which are simple and easy to get right.

The message here is that you should use difficult to guess passwords and change them frequently.

For more information on passwords, check out these earlier Scambusters reports.

Creating Computer Passwords

Get Tough With Computer Passwords and Secret Questions

In a worst case scenario or if you’re the kind of person who likes to be ultra-secure, you might consider closing down email accounts that have been compromised and opening new ones.

After all, they’re cheap and free — and potentially a powerful defense in the spam wars.

That’s it for today — we hope you enjoy your week!