May 26, 2005 4:00 AM PDT

Phishers get personal

Spammers and phishers are learning more about potential victims to better hone their attacks.

Web sites that use e-mail addresses as identifiers for password reminders and registration are open to exploitation by scammers to generate detailed profiles of people, security company Blue Security said this week in a research report. (Click here for the PDF.)

In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer.

News.context

What's new:
Web sites that use e-mail addresses in their password-reminder and registration process could enable scammers to generate detailed profiles of people.

Bottom line:
The more malicious e-mail gets tailored to the recipient, the more careful Internet users may have to become--an added burden on them.

More stories on this topic

Using information gathered from a number of sites, they can tailor malicious e-mail to the recipient. That makes it more difficult for Internet users to distinguish real messages from those that are junk or part of a cyberscam. Also, customized messages are less likely to be caught by spam filters, experts said.

"Phishing attacks fairly recently have started getting more personalized and targeted," said Dave Jevans, chairman of the Anti-Phishing Working Group. Such fraud-related messages now include the recipient's name or e-mail address, or have even more information about the receiver, Jevans said.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as user names, passwords and credit card numbers. The thieves then sell the information or use it to commit identity theft. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Scammers usually have lists of e-mail addresses, either invented, bought or collected online using harvesting tools.

The trick in the registration or password reminder attack is in the response. Many online businesses return a specific message--such as "This address is already subscribed"--when an e-mail address is registered with the site. If an attacker gets that response, they know that address represents a valid customer.

How does profiling work?

This example illustrates how cybervillains could build up profiles of a potential victims, to better target their scams.

  • An attacker obtains a list of e-mail addresses. The scammer can buy a list, collect addresses from the Internet using harvesting tools, make up e-mail addresses, or use other means.
  • A script is written to automatically run the e-mail addresses against the registration and password-reminder features of Web sites.
  • Responses let the attacker know if an address is registered with the site. The data is used to compile profiles.
  • Profiles are used to target spam and phishing e-mails.
  • Source: Blue Security

    By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address, Blue Security CEO Eran Reshef said.

    "Imagine that somebody knows all the Web sites you ever registered with, and think about what one can infer from that," Reshef said. "By aggregating all this information you create a very detailed profile of the person, not just snippets of information."

    As a result, attacks could have a higher success rate, because the e-mail presents unsuspecting recipients with accurate information in a message that looks like legitimate correspondence. For example, an e-mail purporting to come from a bank or credit card company could name the recipient and refer to an online store that the recipient actually uses.

    Blue Security has found that a majority of the most popular U.S. Web sites allow "hostile profiling" by phishers and spammers. Additionally, many smaller Web sites, including online stores, sports teams' Web sites, political organizations and other groups are vulnerable, Reshef said.

    However, hostile profiling does not seem to have become widespread yet, according to Blue Security's research.

    Some Web site operators--major banks, for example--appear to be aware of the problem, Reshef said. These sites don't let people register

    CONTINUED:
    Page 1 | 2

    4 comments

    Join the conversation!
    Add your comment
    Never use the same email address twice
    Never use the same email address for registering in different places. Or at least: use a dedicated address with services such as your bank or other financial businesses you work with. The recipient address is the only part of an email message that must be real for the message to reach you (the envelope-to address. Not the one in the message headers. It's the same as with snail mail: the address on the envelope must be correct if the mail is to reach you).

    Look for "disposable e-mail address" services such as sneakemail.com or spamgourmet.com (there are several others. These are the two I use). The name "disposable" is misleading. This is actually the kind of address you want to give to your bank so that you know that only your bank can send to that address, and your bank doesn't send to any other address. Then you would know for sure when an email that claims to bwe from your bank is really from your bank.. There are several other ways to benefit from using multiple addresses, and the best known use is to reduce the damage spammers can do to you. It's easier to replace an address given to a few people than to replace an address you gave to everybody who ever needed to send you something. And addresses that are used a lot eventually need to be replaced when they get too much spam....
    Posted by hadaso (468 comments )
    Reply Link Flag
    replace an address
    <a class="jive-link-external" href="http://www.analogstereo.com/buick_skylark_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/buick_skylark_owners_manual.htm</a>
    Posted by George Cole (314 comments )
    Link Flag
    Never use the same email address twice
    Never use the same email address for registering in different places. Or at least: use a dedicated address with services such as your bank or other financial businesses you work with. The recipient address is the only part of an email message that must be real for the message to reach you (the envelope-to address. Not the one in the message headers. It's the same as with snail mail: the address on the envelope must be correct if the mail is to reach you).

    Look for "disposable e-mail address" services such as sneakemail.com or spamgourmet.com (there are several others. These are the two I use). The name "disposable" is misleading. This is actually the kind of address you want to give to your bank so that you know that only your bank can send to that address, and your bank doesn't send to any other address. Then you would know for sure when an email that claims to bwe from your bank is really from your bank.. There are several other ways to benefit from using multiple addresses, and the best known use is to reduce the damage spammers can do to you. It's easier to replace an address given to a few people than to replace an address you gave to everybody who ever needed to send you something. And addresses that are used a lot eventually need to be replaced when they get too much spam....
    Posted by hadaso (468 comments )
    Reply Link Flag
    replace an address
    <a class="jive-link-external" href="http://www.analogstereo.com/buick_skylark_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/buick_skylark_owners_manual.htm</a>
    Posted by George Cole (314 comments )
    Link Flag
     

    Join the conversation

    Add your comment

    The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

    What's Hot

    Discussions

    Shared

    RSS Feeds

    Add headlines from CNET News to your homepage or feedreader.