Hello List(s),
An interesting evolution in the use of professional and social
networking sites as a means to build trust between a spammer /
phisher and their target seems to have recently (within the last
week) taken place on at least one professional networking site (which
shall go unnamed).
In the incident, a mid-level financial executive from a non-English
speaking background appeared to have created an account, created a
profile, and then used the site's messaging system to individually
contact a number of site members (less than a hundred in the initial
push). A recipient of the message who might have been dubious about
its origins would have found that the details in the message and the
account profile match up with information that is freely available on
a number of corporate sites where the real executive works.
The initial exchanges between the profile owner(s) and the message
recipients all appear to be normal business chatter between new
business contacts, with no indication of any attempt for phishing.
The use of a free webmail account once communication moves off the
networking site also seems somewhat normal until messages received
from this address are investigated (the profile owner(s) are angling
from a personal approach, as the business executive showing interest
in other fields). At this point, it is identified that the source of
the messages is everyone's favourite 419 country.
It appears that this is not the first time that this particular
executive has been targeted as the supposed origin of a 419-style
phish, however the earliest record pointing to evidence of this is
only from October 2006.
I'm throwing this out there for the masses, to see whether anyone
else has encountered something similar. There has been very little
written about the risk of real spam / phishing from professional
networking (and equivalent) sites. From what I have been able to dig
up, a few authors have danced around the edges, focussing on the
automated comment spam and malware delivery angle that these sites
sometimes allow (MySpace, I'm looking at you), but no one seems to
have picked up on this specific angle. It would appear that the
potential return for the significant time invested is much less than
could be achieved with an automated attack, which is one reason why
we may not have seen more of this style of approach.
I will give the person who has been 'cloned' time to authenticate
themselves with the sites concerned and shutdown the fake accounts
before publishing a detailed breakdown of the events leading to the
spam / phish attempt, how it was identified, and future risk
factors / mitigation.
Carl
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
