Quantcast
Subscribe to magazine
Spam Slayer
Spam Slayer
PC World Senior Writer Tom Spring discusses the latest trends in spam and gives you the tips and tools for getting rid of it.
Show article:

Spam Slayer: E-Mail Attackers Know All About You

Spammers and scammers are finding new ways to uncover your e-mail address, and a whole host of personal information along with it.

Tom Spring, PC World

  • 0 Yes
  • 0 No
Tip of the Month
Be an Outlook Express Master: Take complete control of Microsoft Outlook Express with Outlook Express Tweaker. This free program lets you eliminate the Outlook Express splash screen and block executable attachments, and it gives you easy access to undocumented OE settings.

Your e-mail address may be telling the world a lot more than just how to get in touch with you, researchers at the security firm Blue Security warn.

Spammers and identity thieves are taking advantage of what Blue Security says is a flaw in the way many Web sites manage their customers' e-mail addresses. By using a technique that Blue Security calls "hostile profiling," unscrupulous folks could learn your e-mail address. Along with it, they may uncover a wide range of information about you--from where you live and what your hobbies are, to your political views, health condition, and buying habits. This information could be used to create more targeted spam messages and e-mail scams, experts warn.

Eight out of ten top Web sites that require customers to submit their e-mail address as part of the registration process are vulnerable to hostile profiling, Blue Security claims. The assaults come in two flavors: registration attacks and password reminder attacks.

Two Approaches

A registration attack works as follows. A spammer tries to register thousands of e-mail addresses at a Web site. If any of them has already been registered, the spammer learns that those e-mail addresses are legitimate and uses them to create a list of working addresses.

Registration attacks also can be used to verify that someone is a registered user of a particular Web site. A spammer or phisher could attempt to register, for example, johndoe@domain.com at RedSox.com. If the owner of that address has previously registered with the site, the spammer or phisher will be told that an account has already been created with that e-mail address.

Password reminder attacks also attempt to find out whether a person is a member or user of a particular Web site. In this type of attack, a spammer or phisher requests that a particular Web site send a password reminder to a certain e-mail address, such as janedoe@domain.com. If no such e-mail address has been registered with the site, that site will let the spammer or phisher know. But if the address has been registered, the scammer may be told that the password has been sent via e-mail, thus validating that address.

Phishers and spammers could easily create a script that would automatically check to see if an e-mail address was registered at thousands of different sites, says Eran Reshef, founder and chief executive officer of Blue Security.

The Symmetry of Attacks

So, why would spammers and phishers go through so much work to verify e-mail addresses?

"Using these types of attacks, spammers and phishers can easily create detailed profiles of people based on their e-mail addresses," explains Reshef.

Based on the sites where an e-mail address is registered, you can make some logical assumptions about who that person is, Reshef says. Armed with that data about someone's geographic location, shopping habits, leisure activities, and even their health, a spammer could more precisely target marketing pitches--something that should be of great concern to individuals, he says.

Phishers could use these profiles to devise even more convincing phishing lures. You might, for example, be more apt to fall for a phishing scam if the phisher knew that you were a Wine.com customer. A phishing message pretending to be from Visa might read: "Our records indicate someone has made fraudulent purchases at Wine.com using your Visa credit card. Please click here and verify your credit card information."

"Hostile profiling is a serious threat to privacy, giving marketers and phishers easy access to your online identity," Reshef says.

According to online advertising experts this e-mail harvesting technique is illegal. A provision in the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act makes it illegal to harvest e-mail addresses from Web sites or proprietary services. It's also illegal under CAN-SPAM to randomly generate e-mail messages by computer.

Neither password reminder attacks nor registration attacks are widely used today, Reshef says. But consumers should be aware of the potential problem and work to protect themselves from phishers, spammers, and even just a nosy neighbor or coworker who may be attempting to find out where they're registered online, he warns.

Protecting Yourself

Many Web sites, including Friendster, Google, PayPal, and Yahoo, protect themselves from these types of attacks by using a graphical challenge called a CAPTCHA (for "Completely Automated Public Turing Test to Tell Computers And Humans Apart"). With CAPTCHAs, users are asked to view and type in a graphically skewed word that only a human can read. That technique prevents spammers and phishers from creating automatic scripts to perform massive registration and password reminder attacks.

Financial intuitions have foiled these types of attacks for years, Reshef says. He says most banks require users jump through several major hoops, such as a graphical challenge coupled with a request for personal information, before a password reminder e-mail is triggered. "It's time for the rest of the Internet to realize this is a threat," Reshef says.

In my informal tests, I found dozens of sites, ranging from online retailers to lifestyle and political sites, that were vulnerable to hostile profiling. I was even able to identify several sites at which some of my coworkers were registered.

To protect yourself, you should run your own tests and see if a site leaves you vulnerable. And if you want your membership at a Web site kept private, you should update your registration information with an e-mail address that can't be traced back to you.

Q&A

Q: Could you tell me what a "phishing site" is? Thank you.
--Donna M.

A: A phishing site is a Web site meant to trick you for one of two reasons. The most common type looks exactly like a legitimate Web site run by your bank or credit card company, or a commercial Web site like EBay. These sites prompt you to update or verify financial account information. If you do provide personal information to the site, the site operators attempt to steal your money.

A second type of phishing site also looks exactly like a legitimate Web site. When you visit one of these sites, the site operator tries to install software without your knowledge or permission. These programs, called malware, can do nasty things like spy on you when you use your PC and allow hackers to access your hard drive.

The term phishing is meant to sound like fishing--as in fishing for your financial information. The Anti-Phishing Working Group provides an excellent history of the term.

Send gripes, questions, and tips for the spam wars to Tom Spring. Go to the Spam Watch page for more articles.

  • Recommend this story?
  • 0 Yes
    0 No

Related Browsers & Add-Ons Articles

More Related Browsers & Add-Ons Articles
  • Myth of the Million Dollar Database Think only the big boys can afford the best database solutions? Think again. Learn about low cost systems that have proven time and time again to outperform legacy UNIX vendors on a dollar for dollar basis.
  • The Future Sales Force - A Consultative Approach This white paper discusses the challenges of selling complex products and services, and the new skill sets sales professionals must employ in today's evolving market.

PC World's Marketplace

PC World's Free Whitepapers

Name City
Address 1 State Zip
Address 2 E-mail (optional)