Print
Discuss
Send to friend
RSS feeds
With spam now amounting to some three-fifths of all email traffic, with steady returns on the ancient art of the 419 scam, and with phishing apparently still a popular sport, it would seem that the hackers' current best bet for ready cash would have to be some combination of the above.
After all, if greedy users are still prepared to believe that their correspondent really is the rightful heir to a fortune in some Nigerian bank, and that Barclays and the rest are daft enough to ask for their password in an email, and that Viagra really is available online, it would be rude not to take advantage of them.
Incidentally, is it only me or does everyone else get the spam email that offers a job lot of Viagra and anti-depressants? I've always felt it was a very thoughtful offer; either the Viagra solves your problems, or the anti-depressants make sure you no longer worry about it.
Anyway, what should the hackers do? The obvious approach would be to set up a realistic copy of a bank's web site and send a particularly persuasive spam to as many people as possible.
Somebody will fall for it, of course. The clever thing, though, is not to ask for the password information straight away. Instead, simply ask for a confirmation email and make it clear that phishing is a real problem and so the users should be careful.
The web site to which the users are directed would look friendly and non-threatening, and would definitely not alarm them by asking for unnecessary information.
When people reply to the email and visit the web site, they get a follow-up contact from the hackers now posing as the bank's helpdesk staff, explaining that there is an issue with the users' online access account - some problem arising from the way in which the account has been affected by some security issues.
The hackers exchange two or three emails with the prospective victim, gradually winning their trust- until, eventually, the hackers are "forced" to ask for the password in order to change it on the user's behalf and allow them to re-establish the account properly. And then, of course, with the password the hacker can clean out the account, steal the user's identity and ride off into the sunset with a bucket load of cash.
Easy. All it takes is patience, persuasiveness and - on the part of the user - a degree of trust in their helpful helpdesk operator. Would it work? Of course it would. The continued, unbelievable success of the 419 scam tells us that users will believe seemingly any drivel if they think that they're going to make easy money out of it; and the fact that spam is still growing exponentially tells us that it must be working with some depressed, impotent email users. Someone will fall for it.
How could something like this be countered? Well, only by the prospective victims refusing to be victims and only by aggressive, successful policing. Or, of course, by better identification measures for the source of emails, which is why the current technical recommendations are so very, very important. In the meantime, I have a bucket here if anyone would like to put some money in it...
del.icio.us
Digg this
reddit!
