Phishing Season Has Been Extended - Beware!
I've heard that timing is the key to comedy; it may well be true for information security as well.
Late last week I'd sent an email to the BIS (BankInfoSecurity.com) team suggesting that they consider publishing a piece about phishing. I've been getting clobbered with a wide-range of phishing emails over the past few weeks and thought it was noteworthy. It's not that I've been completely immune from receiving these in the past, but I've never had this many pass through my inbox in so short a period of time. On average, I'm receiving three or more per day. I'm someone who's fairly conservative when it comes to sharing my personal email account information and typically use temporary accounts to avoid just such a situation. But something has changed somewhere recently, and the bad guys are working double-time to get at everyone else's money. "Great idea," I was told by Tom Field (Editorial Director of BIS), they already had something in production and just about ready for publication. And so I was happy to read this week's story.
The Bad Guys are getting more sophisticated, applying more pressure and getting smarter. I know this based on what I see out in the field at a minimum, and what I deal with at home at a maximum. If you want to find out just how scary it is out there in the great digital void, have a school-age child use your PC. Every now and again I pull my son aside and show him all the website visits logged against his user account. Of course he doesn't recognize many of them as he's not even aware he's visiting them. They're embedded links within pages he chooses to visit that expose both him and the family computer to all forms of malware, spyware, viruses, tracking cookies (and lions and tigers and bears). He can't believe it, but has to when I show him both the log and the timestamps. Here's a situation where the browsing habits aren't questionable, but the results are.
Then throw in the allure of phishing emails. I tend to read aloud the titles of the many spam emails I receive. Some of them are hilarious in how they butcher the English language and take what might be inappropriate phrases and present them instead as something quite funny. But every now and again I share the absurdity of the subject lines from the less sophisticated phishers. One recent item read "$250,000 Transfer Notice". When opened up, it asks when and where you want this sum transferred into your account. Upon sharing this one with my wife, she asked if I was ever curious to follow up on these offers "just for fun." That scared me because while she knows better and knows there's nothing to be gained from doing so, I could see how these things happen. It seems harmless enough in the abstract because the thinking is you could pull back whenever you want to. But some of these phishing schemes rely on gathering very little information. Based on acquiring just a small nugget via these attempts, they may have just enough information to present a credible application for a loan or credit card. And that someone as remarkably bright as my wife would ever, even remotely entertain the possibility of toying with one of these emails tells me that you can never let your guard down. How many people out there aren't as smart as my wife or aren't married to someone who knows as much about information security as I do? With the economy being where it is, people are growing more desperate and as such are more likely to experiment or explore these "too good to be true" scenarios. Don't think the criminal element is ignoring that fact or opportunity.
And on a completely unrelated note: A few weeks back I blogged about how smaller banks and credit unions were selling their stability and reputation more than products and services. I'd commented that the bigger players weren't even bothering to assure their customers. Well, imagine my surprise this week when I received a Bank of America banner ad touting their current CD products and boldly stating "IT'S FDIC INSURED." I thought it both amusing and sad all at once. For me, the message was more "don't worry about our stability because the government has our, I mean, your back" than anything else. So don't invest in a BoA product because they're who you can trust; invest in BoA because Sheila Bair and Company has us all covered.