How bait attacks help crooks to increase success rates: Internet Scambusters #1,021
Crooks are putting out feelers, called bait attacks, to test individuals' and companies' vulnerability to a full-scale phishing operation.
Meanwhile, another type of baiting is working successfully to install malware onto victims' PCs.
We have details of these scams in this week's issue, along with a round of alerts focused on currently soaring gas prices.
Let's get started…
Scammers Using Bait Attacks to Test Victims
The evil art of phishing - theft of personal information via fake sign-on web pages and emails - is now smarter than ever through a trick called a bait attack.
The main purpose of bait attacks, also known as reconnaissance attacks, is to check if an email address is active and whether the victim is likely to be receptive to a full phishing attempt. The crooks are putting out feelers to assess your phishing potential. It significantly increases their chances of success.
For example, they might simply send a totally blank message to check for a non-delivery alert. If they don't get one, they know the address is valid.
Nearly all of the baiting messages come from Gmail addresses. That's because, say security specialists, Google's email service is well respected and new, multiple accounts are easy to set up. People tend to trust messages with a Gmail address. And because they have no malicious content, they easily bypass security software.
Gmail also has the ability to tell a sender if their message was opened by sending a "read" receipt. And if the recipient actually replies to the email, the scammer knows he has a strong chance of hooking a gullible victim with a phishing message.
In a test, security firm Barracuda sent a simple "how can I help" reply and received full-scale phishing emails within 48 hours.
These were the type of messages we've reported on before in which the victim is told they've had several hundred dollars deducted from their bank account to pay for anti-virus software.
The hope is that they'll click on a legitimate looking link - for example from anti-virus specialists Norton - to contest the charge, thereby giving away sign on details and perhaps bank account information.
Many of the bait attacks target businesses, with the aim of breaking into corporate networks, although anyone can receive them. Barracuda's research shows that more than one-third of 10,000 companies they sampled had received an average of three bait attack messages in a single month.
Don't Fall For a Bait Attack
There's no immediate danger from this type of bait attack - it's what happens next that counts - but you can't rely on your security app to spot and trash it.
As another security firm, Synivate, explains: "As the message itself typically contains little to no text, features no malicious links or file attachments, and is not an actual attack on its own, there is no reason to red flag it."
The main way to safeguard yourself is never to respond to messages that come from a name or email address you don't recognize, especially those using Gmail with a combination of random letters in the sender's address.
If possible and you can see the message in your inbox without actually opening it, delete it. This will avoid a "message read" alert from being sent to the scammer.
Another Type of Baiting
While we're on the topic, remember that scammers also use a different type of baiting to lure you into their grasp - free offers.
An email or text message says you've "won" or "earned" some sort of reward, which requires you to download a piece of software or digital product. Typically, this might be a supposed free publication or an app like a high-quality audio player.
Crooks have even been known to scatter infected USB drives in public parking lots, knowing that some curious finders will simply plug one into their PCs. Researchers found that up to half of finders would do just that.
The aim here is to take control of your computer by installing malware to steal information or ransomware that locks up your machine until you pay up.
Or the scammers may fake a message from a digital music provider, like Amazon, asking you to sign on via their bogus replica page to download your reward. This is a barefaced phishing attack looking to steal your username and password.
As always, the way to avoid these cyber crooks is to never download items or log in via a link in an email or text message. And never, ever, plug in a USB drive whose origin you don't know.
Gas Price Scam Alerts
Gouging?: With gasoline prices going through the roof in recent weeks, you may feel you're being scammed every time you fill your tank, although there's no real evidence this is happening. Furthermore, new laws passed a few weeks ago make price gouging illegal. It always pays to shop around for fuel. Google "local gas prices near me today" to find the best prices or visit gasbuddy.com. But if you really think you've been scammed through a rip-off price, report it to your state consumer protection department.
Relief Program: Watch out too for bogus gas price relief scams. Scammers are exploiting confusion and desperation about potential, legit programs from federal and state governments, such as a gas tax break. Victims get a call offering membership of a phony relief program for which they have to provide bank account details. No government program would require such confidential information, so never give it to someone you don't know, no matter who they say they are.
Gas Theft: There have been multiple reports of gangs stealing thousands of gallons from gas stations (using a device that bypasses pump meters). They use social media and messaging to advertise fuel at cut prices. Don't be tempted to buy - you could end up in court.
That's all for today - we'll see you next week.