Wednesday, 17 September 2014

Tasty Spam: Phishing Isn't Just About Your Money

Via Flickr user Jerry Pank When we talk about phishing, we tend to focus on financial fraud, such as the fake bank websites and ecommerce portals. The attackers are looking for ways to steal our credit card numbers and online banking credentials. Cloudmark reminds us in this month's Tasty Spam that phishing can target non-financial accounts, as well.
Phishing for financial details is highly lucrative but also high risk. "Bank fraud gets more attention from law enforcement and carries higher penalties than, say, selling worthless diet pills," said Cloudmark's spam expert, Andrew Conway. Less sensitive accounts are still valuable, since they can be used to send more spam over email, SMS, or even social networks.
The theft of celebrity photos from iCloud is a perfect example of attackers going after non-essential accounts and the kind of damage that could be inflicted. Cloudmark shared some types of phishing attempts against non-financial accounts which may be landing in your inbox right now. Check out some below:
Any Email Will Do
Tasty Spam: Email
This all-purpose email landing page doesn't bother trying to guess which email service you may use and just displays all the logos. It's up to you to decide which account credentials you want to hand over.
Criminals Like Apple, Too
Tasty Spam: Apple
Apple IDs are also popular phishing targets, Cloudmark said. Once stolen, these accounts may be used to send iMessage spam, or to remotely take control of iPhone and iPads. The attacker may use the "Find my iPhone" feature to remotely lock the device, and then demand the victim pay a ransom to regain control.
Users Beware
Tasty Spam: WoW
If you play games, keep an eye on your video game accounts. Criminals may be reselling in-game items to other players who are willing to spend real money to get these objects. Even though most modern games launch with two-factor authentication features, gaming accounts are still getting compromised. The above email tricks users into thinking they need to take attention.
Tasty Spam: Craigslist

"Even Craigslist is not immune to phishing attacks," Conway said. This particular scam also tries to steal login credentials for email accounts. Word Salad
Tasty Spam: Bank
Note the white text at the bottom of this sample message phishing for bank account information (you may have to squint a bit). This random text, called "word salad," is intended to confuse spam filters, and may not even be visible if the message is displayed against a white background.
PayPal, An Old Favorite
Tasty Spam: PayPal
PayPal is an old favorite among scammers, but the attacks are fewer than they used to be, Cloudmark said. It may be because PayPal's fraud detection algorithms have gotten better, more mail servers are checking for DKIM signatures (if a message doesn't have a valid PayPal DKIM signature, then it is flagged as a forgery), or PayPal's users are just savvier about these messages.
Keep AlertDon't make the mistake of thinking that phishing is just about email or bank accounts. As you can see, the attackers will go after whatever you have. Keep an eye out for suspicious messages that demand you take action right away. Most phishing attacks have errors in spelling, grammar, capitalization, punctuation, or spacing. Keep a cool head and don't click.

No comments:

Post a Comment