Blogs / Podcasts / Articles » Free Articles

Scott Wright's Security Views (ScottWright)
Blog Entry

Secrets of an Identity Thief Interpreted for Your Edification

Friday, March 6th 2009 @ 11:46 PM (not yet rated)    post viewed 1112 times

Did you ever wonder why hackers, phishers,  and scammers go to all the trouble of creating so many fake emails and messages on social networking sites? It's primarily to steal userids, passwords and identity information that can be sold to other spammers. This article (click HERE) is apparently an interview with an 18 year old phisher who's been doing it for  at least 4 years. There is some controversy over the hacker's claims, but the writer who did the interview (RSnake) is respected in the security industry, and says he has verified some of the individual's claims.

There is a bit of technical jargon (and some crude verbiage in the appended comments), but the important points to note are:

  • He claims to have stolen over 20 million identities
  • He says he did it all by himself using easily available tools online, although he's had lots of offers to join larger syndicates
  • He targets teenagers mostly, by having automated tools that post messages that appear to be from "friends" in social networking sites like Facebook and MySpace
  • He says he creates plausible websites with realistic domain names, and collects data from people by online forms they fill out when they get to his sites
  • He says over 50% of people use the same password in more than one account, which increases his profitability greatly
  • He says he makes at least $3,000 per day from his scams
  • He uses some moderately complex tools to hide his location
  • He says that, while Firefox 2 and Internet Explorer 7 browsers (or newer) have phishing filters that put a dent in his progress, it's still very easy to harvest identities through phishing
  • His closing comment is that "Lazy Web developers are the reason I'm still around phishing"; meaning that if the social networking sites had built more security into their applications, he would have a much harder time being successful
  • Further comments to the article indicate that "a recommendation from a friend" is the most convincing way to get somebody to follow a link to a phishing site. All the phishers have to do is get somebody to accept their friend invitations to start the ball rolling. So, be very skeptical of referrals to websites from friends for  "great deals" on anything 

The bottom line is that you should not rely on information or links from a social networking site unless you can verify that it is legitimate from another source.

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn't mean you can't have an economical way to address human security risks. Please call or email me at the coordinates below...

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Comments

This Site is Powered by iGrOOps.