New Recession-Era Twist in Cyber-Crime: Preying on Fear
In these difficult economic times, it's disheartening to know that there are people out there who want to take advantage of our fear for their own nefarious gain. Ray Dickenson, CTO of security firm Authentium, offers some tips for avoiding these hard-times scams.
03/15/09 4:00 AM PT
Everyone knows cyber-crime is a cat and mouse game, usually involving a bit of social engineering to trick unsuspecting computer users into clicking a link, installing some software or providing valuable information. The latest trick in crooks' bags: "recession malware." This is a new generation of malware that exploits consumers' financial woes and other recession-era problems. It's trapping consumers and businesses alike.
No one has to say times are tough -- mortgages under water, cratered retirement accounts, massive layoffs, and forecloses are evidence enough. Perhaps not surprising, criminals, including cyber-ciminals, are finding opportunity in others' misfortunes. Here are some examples of the newest dark, yet ingenious, schemes recently uncovered.
The Bogus Job
This one is cruel. With the unemployment rate at 7.6 percent, the highest since 1974, job seekers are more desperate than ever to find work. They're more likely to click any and all e-mails responding to their online application and offering open positions. But some of the messages are scams. Here's an example:
Subject: Shipping coordinator needed in U.S. for overseas companyMake US$40,000 a year managing our orders from your home. You must have an e-mail account.
Say a job seeker applies and gets the job. Now the scammers will ask for a bank account number. Their pretext is that they need it so the user can quote business using the account. If the new hire provides the account information they may next find themselves involved in illegal money laundering from offshore criminals who just need an American citizen with a bank account.
The Phony Windfall
These e-mails are also very appealing when money is tight:
Subject: RE YOUR INHERITANCE FUNDSADDRESS: WARK BRIDGE, SE 19 HL UNITED KINGDOM
PHONE NUMBER: +44-702402658
I wish to notify you again that you were listed as a beneficiary to the total sum of GBP £11.2000,000.00 (Million pounds sterling ) in the codicil and last testament of the deceased (Name now withheld since this is my second letter to you).
Please follow this link to claim your inheritance.
The link might then open a form that requests a Social Security number, bank account number, birth date and more. But it's actually a phishing e-mail fooling consumers into giving away their identity.
These e-mails are similar to the popular Nigerian 419 scams of the '90s. Named after the Nigerian statute that covers the crime, these e-mails appeared to be from Nigerian officials. They claimed recipients would receive millions of dollars as part of an investment program, if they send an "advanced fee." In reality, no money was transferred and users lost the money they sent.
The M & A Malfeasance
This one capitalizes on the possible brand confusion following bank mergers and acquisitions. Here's an example that plays off Bank of America's acquisition of Merrill Lynch last year:
Subject: Merrill Lynch account verificationDear Merrill Lynch customer,
Due to the recent acquisition of Merrill Lynch by Bank of America, your Merrill Lynch account must be reestablished. Please click this link to reestablish your Merrill Lynch account.
The link might provide a form requesting banking credentials. Or it might download a virus, keylogger, trojan, or other identity-stealing malware.
However, for any of these malware scams to work, users must click the e-mail links or submit personal information. Simply receiving the message usually won't harm the computer, user or business. Theoretically, then, the best way to avoid attack is to not click these links and provide the information requested.
But theory isn't always reality, proven by the millions of ID theft victims and billions of dollars lost to malware attacks. Other precautions must be implemented to form a solid shield against cyber-criminal campaigns. Here are some guidelines.
Always be wary of any message that requests payment, banking details, or personal information. Banks and other organizations that store private data virtually never ask for this information over email. They'll call or mail a paper letter.
If you receive an e-mail requesting this information, however, it's best to call the organization and ask if such a message was sent. If the answer is no, the message is a scam. Delete it. If the organization did indeed send the message, it's still wise to provide the information while you're on the phone, rather than in e-mail.
Trust is difficult to establish online. Remember Peter Steiner's famous cartoon with two dogs at a computer? One dog was saying, "On the Internet, no one knows you're a dog." Just because an e-mail appears to be from a certain party, doesn't mean it is. Nigerian 419 scams illustrate this.
When receiving e-mails that purport to be from banks, government bodies, etc., verify identities. Look for the sender's phone number in the message, and call him/her to discuss it. Check the phone book or other independent listings to ensure the number is legitimate. Do not reply in e-mail. The key is to take the correspondence off line to a medium where you can verify the sender's identity and message's legitimacy.
Get a Second Opinion
If you're unsure of a message's legitimacy, ask someone you trust. Show the e-mail to them, and see what they think. If it's a widespread scam, there's a chance other people you know received the message or a similar one.
If you're still not sure, err on the side of caution. The old adage holds fast: If the message sounds too good to be true, it probably is. Just delete it.
If users still click a link, however, it's important to have back-up. Security and fraud prevention technologies can serve as an immunization layer to protect users from the consequences of malware attack. Some of these precautions are staples, such as ensuring antivirus and antispyware software is up to date and the firewall is on.
But even these technologies aren't fool-proof. Certain Web browsing security tools are designed to supplement them, so that in the event antivirus fails, private data is still protected. These secure browsers work by rendering malware ineffective, which blocks key-loggers, screen-scrapers, and other malware agents from accessing and stealing data.
Above all, though, it's crucial to stay informed. Know what the latest scams are, and be prepared when suspicious e-mails hit your inbox. Cyber-criminals are becoming increasingly sophisticated and specialized. Education will help users avoid becoming the next victim, whether the economy is up or down.
Ray Dickenson is CTO of Authentium, makers of security software solutions.