While many forms of online mischief require some degree of technical sophistication on the part of the miscreant, we often see forms of attack that are quite simple. One case in point is the phishing attack. In many ways, phishing attacks are at the low end of the totem pole from a technical sophistication standpoint. In fact, ready-made phishing kits can be purchased in the underground economy (though the buyer should beware!), and many aspects of the attack can effectively be outsourced.
For a while, banking and other financial services sites bore the brunt of the phishers’ attention spans. It’s not surprising. Phishing is a financially motivated crime, so to understand the modus operandi of a phisher, all you have to do is follow the money. During the last year and a half or so we have noticed an interesting trend, in that social networking sites have become a much more popular target for phishers.
In some cases, social networking sites have even trumped financial services sites in the phishing popularity stakes. One reason, I believe, for this trend is that phishers have come to better appreciate the impact of using social context within their attacks. For example, there was a recent and well-publicized set of attacks on a popular social networking site, in which phishers took one compromised user account and used it as a launch pad for targeting that user’s friends.
Upon compromising the new set of accounts, the process was repeated. After all, if I receive a message purporting to be from a “friend,” then I’m much more likely to give that message more attention and potentially follow any instructions it contains, like “click here” or “log in.” By following those instructions, I might unknowingly divulge sensitive information to a fraudster or have malicious software surreptitiously installed onto my machine. This software could, in turn, be used to steal my information or use my machine for other nefarious purposes such as sending out spam email. Finally, if a cyber criminal is able to obtain my password for one site I transact with, he or she can now log into any other site that employs the same password.
These attacks are actually not all that new. We saw examples of such “social” phishing attacks in early 2006, though at that time the medium of communication used to carry them out was instant messenger. While we typically encounter the same styles of attacks on these newer mediums, we sometimes observe previously unseen attacks—again, not all of which are technically sophisticated. One example is a new “name game” that appears on a popular blogging site. Participants in the game are asked to reveal some tidbits of personal information about themselves (for example, the street they grew up on, or their mother’s maiden name). The game then conjures up a new “name” for that person based on his or her attributes. It all seems to be in good fun until you realize that the operators of the “game” have managed to collect some potentially lucrative information about you. This same type of information is often used by legitimate websites to help further authenticate you or to help you change your password if you forgot it.
These types of attacks are not just limited to particular social networking or blogging sites. You really should be careful when you reveal sensitive information online. Even if you think it’s a request from a friend or in the name of good fun. Ultimately, in the Internet Age, our online identities are really an amalgamation of attributes about ourselves. When we wish to prove to someone else that we are who we say we are, we typically do so by answering questions using information that only we are presumed to know. Naturally, in today’s world that assumption may not be so true. If you give away bits and pieces of information about yourself, then a fraudster can literally, for all intents and purposes, pose as you online.
I suggest the following. Be careful whenever you transmit information about yourself. Even if you think doing so is harmless, there may be broader implications you aren’t considering. Also, even if such requests appear to be coming from a friend, be aware that your friend may have been the previous victim.
Cybercriminal activity is not just targeted towards banks. And, sometimes, it employs far more psychological sophistication than sheer technical wizardry.