Webmail Phishing Attacks – The True Cost

MessageLabs points out in this timely report, the true cost of webmail phishing attacks, and the impact such attacks can have on the victims of this cyber-criminal activity.

Courtesy of MessageLabs:

In the wake of the news reports this week of the large-scale webmail phishing attacks, much of the coverage has surrounded the compromise of email accounts which, according to the numbers, affected a massive amount of webmail users.

However, what has been glossed over is the potential impact on the other aspects of the victims’ online lives. The bad guys likely now have more than just access to users’ email accounts, they have access to a host of other online services the victim uses.

“A user’s unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public Instant Messaging (IM) network,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID.”

Once the bad guys have email account information and the will to take over a related social networking accounts, all they need to do is try the password reminder links from the login pages. They can then not only use your email to spam, they can also gain access to other personal information stored online.

Over the last year, MessageLabs Intelligence has tracked a number of phishing attacks using Instant Messaging whereby the bad guys collected real IM user account information and passwords and used them to send commercial messages to everyone on the user’s buddy list.

An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password. For public IM networks, the user name is often the same as the web-based email account.

Phishing isn’t the only way the bad guys can gain access to webmail accounts. MessageLabs Intelligence has been aware of an increase in the number of “brute-force” password breaking attempts, where dictionary attacks are used against online webmail accounts to break in, perhaps using POP3 or webmail to conduct the attacks.

Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a CAPTCHA puzzle to prove they are a real person. CAPTCHAs can be easily bypassed using a variety of CAPTCHA-breaking tools.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

McAfee to Test Spam – Cyber Criminal Link

This morning my email inboxes in two of the five email services that I use, held a surprise for me once again, with an email from myself. As always, I simply deleted this spoofed spam email along with the other unsolicited junk mail.

The spoofed spam reminded me of an experiment being run by McAfee Inc., a world leader in antivirus, firewall, and Internet security software. McAfee began soliciting for volunteers in December 2007 and selected 50 of them to participate in a test in which the volunteers will have to respond to every unsolicited email mail they receive over a thirty day test period, beginning today.

Their laptops, supplied by McAfee, will operate without active anti-spam protection so that McAfee can test the theory that spam email is linked to cyber crime. Personally, I think that’s a no-brainer; so why bother with a test.

McAfee’s view however, as expressed by Christopher Bolin, McAfee’s chief technology officer is “Spam isn’t just a nuisance. It’s a tool used by cyber criminals to steal personal and business data. And, as scammers become more adept at writing spam in local languages it’s becoming more difficult for Internet users to detect spam. It’s vital that computer users understand the risks of leaving their computers unprotected.”

It seems to me, given the fact that spam exists in many forms including instant messaging spam, Web search engine spam, Blog spam, cell phone messaging spam, and more, that focusing on a narrow definition of what constitutes spam, has little relative value.

So I’m skeptical about the significance of this type of experiment given what we already know about spam, malware attacks in all its various forms, and the known connection to cyber criminals. However, I’m a curious fellow and I’ll follow the research, and the results obtained, with interest.

If you’re interested, you can visit McAfee/Spam Experiment to track the daily progress of the S.P.A.M. Experiment and read Blog reports from the test participants.

Share this post :

Internet Addiction – Are You Hooked? – One Shrink’s Opinion

According to Dr. Jerald J. Block, M.D., in an editorial published on The American Journal of Psychiatry website, Internet addiction is an “increasingly commonplace compulsive-impulsive disorder” and should be included in psychiatry’s official guidebook of mental disorders, the DSM-V.

The Diagnostic and Statistical Manual of Mental Disorders, is an American psychiatric handbook that lists categories of mental disorders and the criteria for diagnosing them. Despite its controversy in certain quarters, controversy in part caused by a perceived need to add new mental illnesses, it is used worldwide by clinicians and researchers as well as insurance companies, pharmaceutical companies and policy makers.

So how do you determine if you qualify as an Internet addict? Well according to Dr. Block’s statistics, if you exhibit any of the following symptoms while online or offline; excessive gaming, sexual preoccupations or excessive email or text messaging, you meet at least one or more of the criteria needed to establish Internet addiction.

Hold on now, before you become concerned with your “excessive email or text messaging”, (I wonder who defines excessive and under what circumstances), apparently you also must exhibit the following:

• Withdrawal – including feelings of anger, tension, and/or depression when the computer is inaccessible. (I can see how some people might feel mildly depressed when their system goes down.)
• Tolerance – including the need for better computer equipment, more software, or more hours of use. (I qualify here, although not necessarily in terms of hours of use.)
• Negative repercussions – including arguments, lying, poor achievement, social isolation, and fatigue. (I might qualify here – there are days when I definitely get tired of looking at a computer screen.)

 

When I was reading this editorial, naturally I began to compare my normal daily email activity with that of my friends – I generally get up to 80 or more emails daily (excluding spam), and at least 35 or more frequently require a personal response. Is this excessive? Who says so? Should I be concerned that I might run the risk of becoming an Internet junkie?

I know I’m being facetious regarding my email, but there is a larger problem here.

My problem with this issue is not Dr Block’s research since he does go on to say that 86 per cent of “internet addicts” also have some other form of a mental disorder. I’m sure that mental illness is a complex and mystifying subject that includes a multitude of variables. My real problem is with those people who use, or more properly misuse, these types of studies to achieve their own ends.

There are always individuals/groups/organizations waiting in the wings ready to pounce with great gusto on established, or emerging technologies. It seems that computers/connected devices will continue to be the target of  modern day Luddites – a term used to describe those opposed, in some form, to technological progress and technological change.

It seems to me that we are, more and more, motivated to become a guilt driven society with the result that we are often forced to second guess many aspects of our lives.  On the other hand, there are those who will insist that Western civilization has historically always been guilt driven; perhaps those who hold this philosophy are right.

Interestingly in the footnotes to Dr Block’s article the following statement is appended: Dr. Block owns a patent on technology that can be used to restrict computer access. Dr. Freedman (who?) has reviewed this editorial and found no evidence of influence from this relationship.

It’s always important for us to remember that there are lies, dammed lies and then there are statistics.