News Blog

Read all 'spear-phishing' posts in News Blog
September 28, 2007 2:38 PM PDT

Personal details show up in a recent spam attack

by Robert Vamosi
  • 2 comments

For this week's Security Watch column and Security Bites podcast, I spoke with Tod Beardsley, lead counter fraud engineer for TippingPoint, a provider of network-based intrusion prevention systems. The column and podcast talk about how social networking can be used for targeted attacks. Toward the end of the interview, I asked Beardsley what was the most interesting case he's worked on in the last six months.

"In the last six months, there was a case involving the Better Business Bureau. This is public. The story there is that the Better Business Bureau keeps these databases of all the complaints they ever get. That's the big sell for them. If I complain to my local Better Business Bureau about some national company, someone else in Spokane, Washington, can reference that, through the Better Business Bureau up there.

"The problem is there wasn't a whole lot of control on these complaint forms. They were accessible over the Internet using a pretty easy brute-force mechanism. So you can get the ID numbers. They're all sequential, they're not random or anything like that. The attack was that a spamming group had enumerated all these complaint forms, and those complaint forms ranged from national corporations to small family practitioners--you know doctor's offices.

"The deal with doctor's offices is that now you run into HIPAA compliance problems because somebody may be complaining about the medication they got prescribed and stuff like that. The interesting part about this is that the attackers were able to correlate the real names with e-mail addresses with particular business complaint numbers.

"What we saw happen was a whole run of spamming campaigns where the victims were identified personally, which hardly ever happens, and information personally about them about a very recent and usually a personally emotional event in their life that was used as kind of a hook for a phishing campaign. 'Come here and log in here and by the way what's your credit card number?' So it ended up being a very effective, very wide-spread, pseudo-spear phishing attack. This is, as far as I know the first time anything on this scale has ever happened."

Topics:
Security
Tags:
security,
Better Business Bureau,
spamming,
spear-phishing,
phishing,
social networking
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader



advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET