Thursday, September 19, 2013

Bait E-mails

According to reliable intelligence sources (e.g. Verizon Data Breach Incident Report), a large percentage of successful attacks against targets both of choice and opportunity begin with bait messages (so called "fishing" attacks).

How to recognize a bait message:

It appeals to curiousity, fear, greed, lust, sloth, etc.

It appears to be personal but is addressed to a large number of people.

It has an ambiguous subject, contains a one-liner and a URL, and appears to come from someone you know at gmail, hotmail, Yahoo!, etc but from whom you were not expecting to hear.

It appears to come from PayPal, American Express, Chase, Amazon, or others with whom you do business but does not contain your name or account number. 

It pretends to come from a "security" department asking you to react to activity to your account or profile. 

It asks you to click on a button or URL within the message itself. 

Remember that any of these things may be legitimate but they are all suspicious. 

Remember that bait messages may be very artfully crafted.  They may contain logos, headings, footings, and other copy intended to make them look authentic. 

What to do with a suspicious message:

As little as possible.  Mere receipt of a suspicious message is not likely to hurt you.  It is clicking on things in it that will compromise your system. 

While it is not necessary,  you may wish to alert the purported sender.  If it appears to come from an individual, return it to them with a subject line that says "Did you send this?" and a body that says, "'If not, your e-mail account may be compromised.  Change your password."

If it appears to come from an enterprise, you may wish to forward it as an attachment to them.  Here are some useful addresses for that purpose:

spoof@paypal.com
spoof@ebay.com
spoof@americanexpress.com
stop-spoofing@amazon.com
fraud@abuse.earthlink.net
accountatrisk@chase.com
reportphish@wellsfargo.com
fraud@ups.com
abuse@bankofamerica.com.
abuse@capitalone.com
spoof@citicorp.com
spam@uce.gov
abuse@verizon.com
abuse@fedex.com
webmaster@aa.com
emailfraud@keybank.com

If your victim is not in this list, Google their name with "fraud" and you will likely find it.

No comments:

Post a Comment