Full Disclosure mailing list archives
A Recent Phishing Evolution?
From: Sûnnet Beskerming <info () beskerming com>
Date: Fri, 26 Jan 2007 00:41:29 +1030
Hello List(s), An interesting evolution in the use of professional and social networking sites as a means to build trust between a spammer / phisher and their target seems to have recently (within the last week) taken place on at least one professional networking site (which shall go unnamed). In the incident, a mid-level financial executive from a non-English speaking background appeared to have created an account, created a profile, and then used the site's messaging system to individually contact a number of site members (less than a hundred in the initial push). A recipient of the message who might have been dubious about its origins would have found that the details in the message and the account profile match up with information that is freely available on a number of corporate sites where the real executive works. The initial exchanges between the profile owner(s) and the message recipients all appear to be normal business chatter between new business contacts, with no indication of any attempt for phishing. The use of a free webmail account once communication moves off the networking site also seems somewhat normal until messages received from this address are investigated (the profile owner(s) are angling from a personal approach, as the business executive showing interest in other fields). At this point, it is identified that the source of the messages is everyone's favourite 419 country. It appears that this is not the first time that this particular executive has been targeted as the supposed origin of a 419-style phish, however the earliest record pointing to evidence of this is only from October 2006. I'm throwing this out there for the masses, to see whether anyone else has encountered something similar. There has been very little written about the risk of real spam / phishing from professional networking (and equivalent) sites. From what I have been able to dig up, a few authors have danced around the edges, focussing on the automated comment spam and malware delivery angle that these sites sometimes allow (MySpace, I'm looking at you), but no one seems to have picked up on this specific angle. It would appear that the potential return for the significant time invested is much less than could be achieved with an automated attack, which is one reason why we may not have seen more of this style of approach. I will give the person who has been 'cloned' time to authenticate themselves with the sites concerned and shutdown the fake accounts before publishing a detailed breakdown of the events leading to the spam / phish attempt, how it was identified, and future risk factors / mitigation. Carl Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A Recent Phishing Evolution? Sûnnet Beskerming (Jan 25)