Welcome to the SecAware blog

I spy with my beady eye ...

11 Dec 2007

Email scams increasingly sophisticated

Two news stories illustrate the increasing sophistication of email security threats.

The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more.

Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social networking sites or elsehere off the Web) to fool them into following dubious links. Their PCs are then infected with malware, typically keylogging Trojans according to the article. Thereafter, everything the exec types in (bank details, passwords, secret documents, whatever) is also available to the scammer. Nasty.

Both stories demonstrate the effectiveness of social engineering methods. We humans naturally trust our friends and acquaintances. Scammers who somehow succeed in appearing to be our friends and acquaintances are taking advantage of that trust.

UPDATE Dec 11th: The "I'm stuck in Nigeria - please send money" email scams evidently work just as well in India too.


  1. Great post. These scams are getting more and more sophisticated and the people, who fall for them aren't work-at-home types necessarily anymore, either!

  2. Trust me when I say I know first hand what you're talking about. I thought for sure I was too web savvy to ever fall for some sort of scam, especially and email scam. I thought wrong. It happened today and it was through ebay/paypal. Mainly just paypal. I was trying to "sell" an item and literally shipped it off and paid for the shipping before realizing what had happened. Makes me feel pretty dumb. I wrote an article about it on my blog. You can read it here. I know that with the web being implemented into peoples everyday life more and more that people are always getting more web savvy, I just don't think it's happening quick enough, especially if someone like me, who has been using the internet for almost 10 years now and is a programmer/web designer at that, gets fooled by something like this. I encourage you to check out the link I gave and read my article. It's a perfect example of just how tricky these emails can be.

    Great post here, I'll check back again soon!