Phisher Kings Court Your Trust

Computer-based fraudsters are finding new ways to trick people -- not technology -- to get the information they seek

By Brian Grow

"Lawsuit against you," reads the subject line in an e-mail that hit thousands of in-boxes around the world last month. In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office. Citing U.S. civil code, its prohibition on sending junk faxes, and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax.

"If you do not pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the document attached to the e-mail.

In today's litigious -- and digital -- society, being notified of a lawsuit via e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that preys on deep-seated fears of being hauled into court. Its target: unlucky recipients who may indeed be among thousands of companies that send junk faxes.

SPAM SANDWICH.

The attachment -- labeled lawsuit.exe -- is a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs, and then swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a Paris Hilton sex video, to friends and associates (see BW Online, 4/10/06, "This Bug is Nasty, Brutish and Sneaky").

"This is one of the most innovative ideas used by spammers to target unsuspecting users," says Govind Rammurthy, chief executive of computer security firm MicroWorld Technologies, which sent out a warning about the lawsuit.exe scam in March.

As Web-based scams proliferate, it's often psychological cunning, deployed on top of surreptitious code, that is the secret to cyber-criminals' success. Like traditional con men on the street, Internet fraudsters need a never-ending supply of ways to convince victims to trust them -- to open an attachment, click a link, or innocently enter personal data on a Web page.

IN YOUR HEAD.

Overpowering instincts, rather than firewalls, is the surest means, say analysts, to pickpocket personal identities and online bank accounts. "You can't install a software patch for a person's mind," says Barry C. Collin, chief executive of cyber-security consulting firm Threat and Risk Associates.

In fact, security analysts say hackers are spending serious effort in researching the psychological vulnerabilities of potential targets. Security firm TrendMicro's director of global education, David Perry, says they watch news headlines for poignant world events and often review the success of an attack by reading press releases and corporate warnings, in order to tweak the next attack for greater effectiveness.

Hackers also look for situations of confusion to exploit, such as a corporate merger. For example, at Vigilar's Intense School in Ft. Lauderdale, Fl., where they train people in ethical hacking to help fortify digital defenses, they use a bogus e-mail from someone pretending to be a helpdesk employee trying to verify account data for a database that is being combined in the wake of a merger.

TRUST ME....

"There is a lot of implied trust that you can manufacture -- and exploit," says Ralph Echemendia, an info-tech security instructor at Vigilar's. Echemendia used the 2004 merger of Wachovia and SouthTrust as a model to deploy the script and tap merger chaos.

Analysts say phishing attacks also often spike after a data security breach hits news headlines. The reason: Customers are already anticipating a potential request to update account data and monitor credit reports.

"It makes them more vulnerable to psychological scams," says Herbert H. Thompson, chief security strategist for Security Innovation.

ONE-TWO PUNCH.

Take the case of a phish targeting Citibank customers this year. To build trust, it operates in two phases, say analysts.