Software

Email fraud threatens even the savviest users: Don't get complacent

Email-based cybercrime continues to thrive, but even the savviest users might fall for a clever scheme. Deb Shinder offers tips to help you and your users remain vigilant.

Use of the communications infrastructure for for illegal or fraudulent purposes has been a problem since the inception of such systems. The U.S. Congress passed legislation outlawing mail fraud in 1872. It was inevitable that, when an electronic substitute came along, criminals would take advantage of it to further their scams.

Phishing may seem like "old news," but the phishing emails continue to pour in. During the holiday season, they become more prevalent - and in some cases, more sophisticated. And even if you think you're too smart to be taken in, if you're really smart, you'll heed the seasonal advice that "You better watch out" and look closely before you click on links or attachments in any email messages, no matter who appears to have sent them.

Perhaps even more important, be sure to warn those in your organization or household, who may not be as tech-savvy as you, of the need to be particularly vigilant now. Don't assume that just because they've been warned before, they won't fall prey to the new tricks; busy people caught up in the spirit of the holidays tend to be more vulnerable.

Don't be provoked into a hasty reaction

Scammers have a whole arsenal of tactics they use to try to get you to react, from pulling on your heartstrings with tales of starving children or puppies about to be euthanized to scaring you half to death with "official notices" from the IRS or your credit card company. Even if you've seen it all, some messages can evoke a visceral reaction that could cause you to click before you think - and that's exactly what the criminals are going for.

My husband and I both experienced a moment of shock when we received copies of an email purporting to be from our wireless phone provider. It was formatted in the same way as the real messages we frequently get from the provider, but this time, instead of notifying us that our monthly statement was ready in the average amount we usually see, it announced that the bill was almost $2000!

It's not like this was completely impossible. My husband had just returned from a trip to Russia, where he had taken his phone. We had gotten a genuinely shocking bill in the amount of over $800 a few years ago when he went to Israel and didn't realize the ramifications of data roaming. And even though he had taken care to keep data turned off this time, my first thought was that he messed up and ran up another big bill.

But before I clicked on anything, I looked a little more closely. The return address appeared to be from verizonwireless.com, but wait a minute - the message was sent to one of my secondary email accounts, which is not the one that's on file with Verizon. Upon further examination, the language in one place wasn't quite right, either. An examination of the headers revealed the truth: the message originated from an address outside the country, and authentication results showed that the IP address did not match the VZW.com address shown.

Many computer users, however, undoubtedly react emotionally to the large amount of money they "owe" and click the link to get the details before checking out the message more thoroughly. And it's not as if current email software always makes it easy to even find the Internet headers. In Outlook 2010, for example, you have to open the message, go to the File tab, and click the Properties button. That's not particularly intuitive for someone who doesn't do it all the time.

Because people often run up larger bills during the holidays than at other times of the year, scammers will take advantage of your fear that the big bill might actually be legit to try to fool you into clicking a link that will take you to a malware-laden site or downloading an attachment that contains a malicious payload.

You can't necessarily trust "trusted" senders

We all have certain people whose messages we trust because we trust them. We know grandma isn't going to (intentionally) send us porn links or viruses, but if grandma is technically naïve, we also know that her computer might very well have gotten infected without her knowledge. Thus, even though we trust grandma herself explicitly, we may not consider her to be a trusted sender.

The real danger comes from those we believe to be too security-conscious or too expert to have to worry about. A sad fact that I learned back when I was a police officer was that firearms instructors - those who had the most knowledge and experience with guns - so often experienced "ADs" (accidental discharges). Likewise, it was the long-time traffic cops, the ones who had been doing stops for decades, who most often made the mistakes that led to them being shot when walking up to a vehicle. The reason for this is complacency - that sense that because you have experience and knowledge about something, you're immune to its dangers. It leads you to let your guard down, to be less cautious than you should. And IT security professionals are just as prone to it as experts in any other field.

In fact, those who are most "expert" in IT tend to be the very ones who are most likely to turn off protective measures, such as blocking of attachments with particular file extensions, or use workarounds to defeat measures that are intended to keep them safe from malware.

Email dangers

There are three primary vectors for attacks via email: attachments, HTML mail, and links in the body of email messages. Opening attachments can activate the installation of viruses, trojans or worms that are embedded in the files. Scripts can be hidden in HTML pages. Links can take users to malicious web sites that surreptitiously dump "drive-by downloads" onto the system, or to phishing sites that resemble legitimate sites and thus trick the user into providing personal information and/or financial account information. Cybercriminals use all of these techniques to attack systems, steal information, and commit other illegal acts.

Criminals can use email itself as the "weapon" in a denial of service attack. Email bombing is a term used to describe the sending of huge numbers of email messages to a victim in order to overload the email server or individual account. This can be done by subscribing the victim to a large number of high volume mailing lists, or by using tools for automating the bombing process that are made available through some black hat hacker sites.

Criminals often create "spoofed" email messages that appear to come from a source other than the actual sender. They may also use email anonymizer services to disguise the origin of their messages.

Email can, of course , be used for the same criminal purposes for which postal mail has been used. Threatening email messages may constitute the crime of terrorist threat, assault by threat, or other specific offenses (depending on the laws of the state or country where they're received). Email that doesn't rise to the level of physical threats may fall under cyberstalking or harassment statutes.

White collar crime (financial crimes such as embezzlement, insurance fraud, bank fraud, blackmail, bribery, credit card fraud, insider trading, and so forth) often involve the use of email. Both violent and non-violent criminals use email because it's convenient and leaves less physical evidence. Sending spam - unwanted commercial messages - maybe be considered a crime, too, under the U.S. federal CAN SPAM Act and various state laws.

Just as email can be the weapon in a cybercrime, email can also be the victim - that is, criminals may intercept others' email messages to harvest the addresses, personal information or company trade secrets.

Preventing and stopping email-related cybercrime

Victims of email-related crime often don't report the crimes to authorities because they believe there's little that can be done. It's certainly true that jurisdictional issues and the difficulty of identifying the perpetrators can make it difficult to prosecute these crimes, but a concerted effort by both individuals and businesses, in conjunction with law enforcement agencies, has brought down a number of criminal operations that used email to do their dirty deeds.

The partnering of large corporations with government to bring more resources to the effort to track down and disable cybercriminals can make a big difference, as well. Microsoft's Digital Crimes Unit's work on bringing down major botnets such as Rustock and Kelihos has helped reduce global spam levels. The DCU has also teamed up with Microsoft Research to use technology to track child sex trafficking. A group of private sector organizations called the International Cyber Security Protection Alliance, with members such as McAfee and TrendMicro, recently announced its intent to work with governments in fighting online crime.

The civil court system can be used against email abusers, in place of or in conjunction with criminal laws. Because the level of proof is lower in civil cases, it may be easier to win cases against cybercriminals there. Microsoft's lawsuits against the Rustock and Kelihos defendants were instrumental in the take-down of those bots. In a recent civil judgment, Yahoo won a $610 million award from scammers who tricked Yahoo Mail customers into providing personal information by running an email-based lottery scheme.

Of course, from the point of view of the victims, an ounce of crime prevention is worth a pound of prosecution. Companies and individuals can take steps to keep cybercriminals out of their email systems or to prevent the malicious code they send from doing damage. Firewalls, anti-virus, and anti-malware software is a given. All computer users should be educated on best email practices, including basics such as:

  • not opening unexpected attachments
  • not clicking hyperlinks
  • setting mail clients to display mail in plain text instead of HTML
  • protecting the privacy of your primary email account, and using a "throwaway" web mail account for purposes such as registering on websites and mailing lists, or giving your address to anyone who might use it for spamming or sell it to someone who does.

Companies can cut email risks by using web forms on their websites as a means for people to contact them, instead of publishing company email addresses.

Encryption can thwart the plans of thieves to harvest information from email messages, and it's also important to remember to completely destroy the email messages stored on a computer's hard drive if you give the computer to someone else or recycle it. The safest route is to physical destroy the drive; if that's not feasible, use a program that overwrites the data multiple times. Remember that simply deleting files or even formatting a drive does not erase the data on it.

Also see:

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

6 comments
blaineclrk
blaineclrk

Just one example of the many attacks in action; Original release date: December 20, 2011 at 11:00 am Last revised: December 20, 2011 at 11:00 am US-CERT is aware of public reports of an active spear-phishing attack via email messages directed at United Services Automobile Association (USAA) members. These messages contain the subject line "Direct Posted" and contain a randomly generated four-digit number placed in the USAA security zone section. The messages ask users to open an attached file containing malicious software that if activated could provide access to a user's personal information. US-CERT encourages users to do the following to help mitigate the risk: * Review the alert posted by USAA regarding this issue. * Do not open attachments in email messages from unknown sources. * Refer to Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams. * Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks. * Install anti-virus software and keep virus signature files up to date. Relevant Url(s): http://www.us-cert.gov/cas/tips/ST04-014.html http://www.us-cert.gov/reading_room/emailscams_0905.pdf https://www.usaa.com/inet/pages/2011_19_12_deposit_phish_scam This entry is available at http://www.us-cert.gov/current/index.html#usaa_phishing_scam_and_malware

blaineclrk
blaineclrk

I could brag and say that since I use Linux/Ubuntu I don't have to be concerned about viruses, but even though I don't have to worry about viruses, I still have to keep tabs on my behavior and actions on-line. If I click on that wrong link I could get bombarded with spam. If one of my Yahoo or Google or ISP-sourced email friends gets hacked and my email address hits the web-waves, I could get loads of spam. If I'm not constantly observant and enter just that one little bit of private info on some untrusted or insecure login or some other form, I could get worse than spam, I could open the door for ID theft. Here's a recent addition regarding handling ID theft; http://www.idtheft.gov/ As far as computer speed goes, viruses would love to be able to use every bit of your computer's resources, and they can! The faster and newer your computer is, the better YOUR programs and THEIR viruses can operate. When your system gets overloaded and bogged down, that's when you know something's wrong. Either your Operating System is breaking, your hardware is breaking, or you're under the power of viruses that are stealing your power and probably worse than just your computer's power, they could be stealing YOUR power! Although I can boast that I don't have to be concerned about viruses on my operating system and I don't have one single anti-virus program running, I still can't afford to let my anti-stupidity lapse! That's one subscription that can't be trusted to anyone else but ME!

BALTHOR
BALTHOR

I really see that all computers are deliberately kept under a certain clock speed to give virus more power.Right now I can't imagine what in my computer is 3 gig.I want that 3 gig right where that little arrow is.Fraud mail is virus sliding.These psychos are even sliding their virus into trees and buildings.

blaineclrk
blaineclrk

I recently got an email from a bank asking for information regarding some out of normal activity. The email included a HTML file which contained a form. I saved it, then opened it with an editor. I was slightly surprised at the excellent language and vocabulary used, then, looking at the head tags I saw they were using script and CSS files from the bank site to make their message look and feel real (if I had been foolish enough to have opened it in a browser). Throughout the body of the email were image links from the bank website but the address for the form submission, the ONLY address in the attachment that wasn't from the bank's site, was to a different source for processing the form. Another set of giveaways were they needed my SS# and other bank info of course. Oh, the big giveaway was; I have never done business with this banking company! But, it they had used my bank I would still have checked the attachment VERY carefully just as I've described. A real notice from a bank should be a phone call, not asking for info over the phone either, but asking me to see them personally. Be very careful folks, wolves in sheep's skins are getting smarter and more dangerous. Here are several sources for reporting SPAM to. Some are legal authorities, some are just analysts. reportphishing@antiphishing.org database to collect and analyze SPAM webcomplaints@ora.fda.gov snake-oil and other so-called health medications. fraud@usps.gov anything to do with mail orders or anything else referencing using the postal service. customer@email.usps.gov chain mails having to do with money. spam@uce.gov general, or all SPAM. enforcement@sec.gov for stock scams and money laundering. Check out spamcop.net as well and remember to find and run their authentication routines on each of your email accounts if you register. Spamcop is not a legal enforcement agency. Their service notifies the (usually) innocent hosts that they have been hacked and used to send SPAM so that they can take action on their end to plug the holes and block the accounts that have been compromised or fraudulently created. As for you identifying SPAM, only your smarts can do that 100%.

billfranke
billfranke

I, too, recently got an email from a bank that I do do business with asking for information. No bank account number or SSN number. The bank wanted to know whether two "suspicious" charges that appeared on my credit/debit card were legit. I suppose that's because I live in Taiwan and my bank is in California -- they do have both my California and Taiwan addresses, though. One of the charges was for US$150 and the other for US$10. I clicked "Authorize", and that's all there was to it. Come to think of it now, however, I don't remember how it was that the pop-up window asking me about those charges arrived. I may have been on my online banking site, but maybe I wasn't, and I don't use any IM apps except for Skype, but my bank doesn't have that address. Now I'm a little perplexed. Thank you for stimulating my brain in this case. I'll be more careful next time. I often get emails from banks I don't do business with, both in the US and in Taiwan. I just delete them, just as I do with all the social networking emails allegedly from services I do not use: Twitter, Facebook, LinkedIn, and more I've never heard of before. I just delete them.

Editor's Picks