Phishers Get Personal

formatting link
By Joris Evers
formatting link
Spammers and phishers are learning more about potential victims to better hone their attacks. Web sites that use e-mail addresses as identifiers for password reminders and registration are open to exploitation by scammers to generate detailed profiles of people, security company Blue Security said this week in a research report.

In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer.

Web sites that use e-mail addresses in their password-reminder and registration process could enable scammers to generate detailed profiles of people. Bottom line: The more malicious e-mail gets tailored to the recipient, the more careful Internet users may have to become -- an added burden on them.

Using information gathered from a number of sites, they can tailor malicious e-mail to the recipient. That makes it more difficult for Internet users to distinguish real messages from those that are junk or part of a cyberscam. Also, customized messages are less likely to be caught by spam filters, experts said.

"Phishing attacks fairly recently have started getting more personalized and targeted," said Dave Jevans, chairman of the Anti-Phishing Working Group. Such fraud-related messages now include the recipient's name or e-mail address, or have even more information about the receiver, Jevans said.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as user names, passwords and credit card numbers. The thieves then sell the information or use it to commit identity theft. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Scammers usually have lists of e-mail addresses, either invented, bought or collected online using harvesting tools.

The trick in the registration or password reminder attack is in the response. Many online businesses return a specific message -- such as "This address is already subscribed" -- when an e-mail address is registered with the site. If an attacker gets that response, they know that address represents a valid customer.

How does profiling work?

This example illustrates how cybervillains could build up profiles of a potential victims, to better target their scams.

.. An attacker obtains a list of e-mail addresses. The scammer can buy a list, collect addresses from the Internet using harvesting tools, make up e-mail addresses, or use other means.

.. A script is written to automatically run the e-mail addresses against the registration and password-reminder features of Web sites.

.. Responses let the attacker know if an address is registered with the site. The data is used to compile profiles.

.. Profiles are used to target spam and phishing e-mails.

Source: Blue Security

By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address, Blue Security CEO Eran Reshef said.

"Imagine that somebody knows all the Web sites you ever registered with, and think about what one can infer from that," Reshef said. "By aggregating all this information you create a very detailed profile of the person, not just snippets of information."

As a result, attacks could have a higher success rate, because the e-mail presents unsuspecting recipients with accurate information in a message that looks like legitimate correspondence. For example, an e-mail purporting to come from a bank or credit card company could name the recipient and refer to an online store that the recipient actually uses.

Blue Security has found that a majority of the most popular U.S. Web sites allow "hostile profiling" by phishers and spammers. Additionally, many smaller Web sites, including online stores, sports teams' Web sites, political organizations and other groups are vulnerable, Reshef said.

However, hostile profiling does not seem to have become widespread yet, according to Blue Security's research.

Some Web site operators -- major banks, for example -- appear to be aware of the problem, Reshef said. These sites don't let people register with their e-mail addresses as their login name, he said. They also require additional information for registration or password reminders, or use other security measures.

Have you ever been phished?

Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you. eBay is one online business that does not allow registration and password reminder attacks. The auction Web site stopped using e-mail addresses as user IDs before phishing became an issue, and it has taken other protective measures in its registration and password-reminder process, said Scott Shipman, senior counsel for eBay's global privacy practice.

"It is all designed to prevent the unauthorized disclosure of information, be it the simplest piece of information, such as whether or not that e-mail address or user id is actually a valid user ID on the site," Shipman said.

In eBay's case, the reminder feature for user IDs gives the same response, regardless of whether the e-mail address is registered with the site. "The language of the error message will not tell you whether or not it was a valid account," Shipman said.

What will foil the attacks?

Attacks work only if sites generate a different response depending on whether an e-mail address is registered with the site or not.

.. A registration feature can only be exploited if the Web site uses e-mail addresses to register users and does not require a hard-to-fake personal detail, such as a credit card number. Other security features, such as requiring a new registrant to solve a graphical challenge, will also prevent an attack.

.. A reminder feature can only be exploited if it does not require personal information in addition to an e-mail address. A graphical challenge also counters an attack. Designing a Web site to not leak information about users is what all site operators should do, the eBay executive added. "It is an example of a type of practice that is a best practice," he said.

Hostile profiling is only one way phishing messages are getting more targeted. Earlier this month, security researchers reported that stolen consumer data was used in phishing scams to rip off individual account holders at specific banks.

Jevans at the Anti-Phishing Working Group said that Blue Security's study highlights an emerging phishing threat, and agreed that online organizations should take steps to eliminate vulnerable registration and password-reminder features.

"I think the research is real. You can certainly code your site to not do that, and you probably should," he said.

Copyright 1995-2005 CNET Networks, Inc.

NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at

formatting link
. Hundreds of new articles daily.

*** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, CNET Networks, Inc.

For more information go to:

formatting link

Reply to
Joris Evers
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.