There is a new phishing scam making the rounds. All it involves is people on your Google Talk IM’ing you with “check this out!” It just goes to show that there is nothing new under the sun, and why the use of drive encryption software like AlertBoot is sometimes necessary on seemingly public and innocuous data such as your address book.
Don’t see the connection? Read on.
A New Old Scam (Much Older Than You Imagine)
Adam Ostrow at mashable.com is pointing out that if you follow the link to the “check this out” message, a page asks you to log in with your Google credentials to watch a video. I don’t know if there actually is a video at the end of the phishing rainbow, but I’m pretty certain that your creds are now compromised.
Of course, the words “check this out” has been an old tactic for phishing. Did you know, though, that phishing is as old as the hills? That’s because phishing is a classic numbers game: the more people you reach out to, the higher the chances that you’ll bait someone.
Variations exist. I’ve already described before the stock market scam, where a letter is sent to random investors with predictions of the market’s movements over a relatively long period of time (weeks, perhaps months). Due to the way it’s set up, the predictions are right 100% of the time for a select minority.
But there are others. For example, another scam making the rounds is when a person from court calls you up, demanding to know why you haven’t show up for jury duty. He offers you a fine and incarceration, or for jury duty to be deferred. You’re gonna defer? Oh. He’ll need your full name and SSN to make sure he’s talking to the right person and to complete the paperwork.
How do you know he’s not working for the court of looking-out-for-number-one, though? You don’t, and if you don’t fall for this, there are plenty of others who will. The criminal will continue to make those phone calls until he baits someone. It’s a matter of numbers.
Targeting A Few Phish
Of course, the above only works because people are willing to believe. If you’re the suspicious type, you may need other inducements to verify that the other party is who they claim to be.
Which is why a person’s stolen diary or schedule book comes in handy. The names, addresses, and phone numbers found in such notes hold more significance than the same information from the phonebook, since there’s an unwritten extra: a relationship between all names in that diary. And a criminal can use this information in unexpected ways.
For example, Jack’s your friend, and you know Andy, via Jack. You get a call from Frank, who’s a good friend of Jack and Andy. Frank is in a bind, and Andy thinks you can help. Frank’s facing a temporary liquidity crisis of $10,000, which you can easily loan, since you’re the vice president of a good-sized bank.
As collateral, he’ll put up his top-of-the-line Ferrari, which is easily worth ten times the loan. He’ll pay back the loan with interest next Friday, when you, Andy, and Jack are scheduled to have lunch–a meeting that you never mentioned. Frank brought it up. You can drive up in the Ferrari on Friday, and everything will be settled, a good time will be had by all.
Frank drives up in the car, you check it out–it all looks good. Frank thanks you and leaves. Come Friday, you drive up in the Ferrari, at which Andy remarks, “How did you find my stolen car!”
Turns out, “Frank” stole the Ferrari which contained Andy’s business diary in the glove compartment. Your bank is out $10,000 because Frank connected the dots between seemingly non-sensitive data, and applied some chutzpa and imagination.
Should make you think twice about the implications of a stolen anything with supposedly non-sensitive data.
If a scammer combines the numbers game with just a little more data, he’s got a formidable tool.
If a broker loses a laptop with the name of 10,000 investors, and the information is not protected using file encryption software or hard disk encryption software, a criminally-minded person could use that data to perpetrate the classic stock market scam with better results.
The unwritten extra in this case is that he already knows these 10,000 people have the means and the interest to seek a killing in the stock market (why else have a broker?), and hence there is a higher chance of baiting people for some real money.
Or, the criminal could write a letter, pretending to be the broker, and say that he’s moving to a new firm. He’s including new forms for authorizing debits and credits of monies from the client to the new brokerage and vice-versa. Some will be taken by the letter, and the criminal will have the required information–and authorization–to clean out a person’s accounts.
If you think the loss of publically available information is the same thing as getting it from public sources….well, that’s what scammers are hoping.