Keyloggers + Social Engineering = Identity Theft: Fraudsters Exploit Human Frailties with Seductive Messages
Fraudsters and cybercriminals continue to find creative ways to exploit technology and human weakness to facilitate their crimes. Another new exploit they are using is hijacking popular Google search terms, typically targeting bank sites, and then inserting HTML into the legitimate response pages to get end-users to provide personally identifiable information (PII), typically website user IDs and passwords, often in conjunction with keyloggers they download to the victims' computers.
While this exploit does require a small monetary investment by the criminal, it is worth it to the fraudsters to get the much more valuable PII to either sell to other criminals, or to use for their own crimes. These are not nickel and dime crooks, these are some serious crooks who know how to dupe people out of their money by creating an appealing, seductive promise or image that the enduser thinks will ultimately help him or her in one way or another. As the article states, "Attackers are realizing that in business, you need to spend money to make money." Indeed, potentially many times more money than their investment.
Google reportedly removed all the malicious links that were exploited by this scheme, but it is possible they missed some of the links.
This isn't a new type of attack. Cybercriminals know that end-users are less likely to have their computers updated with the latest security patches, and they also know that people are gullible to following the directives provided at what they perceive to be legitimate sites. I still hear, even from folks responsibile for information security, people who say they click on links found through popular search engines such as Google with no worries that they will be sent to a bogus site, or no worries that the link provided may be surreptitiously loading spyware on their computers.
A couple of actions to help fight this type of exploit:
* Monitor websites and search engines for references and links to your organization's website and see if you find any bogus ones. Get those URLs removed.
* Provide training and awareness to your personnel about how to spot bogus websites
* Provide training and awareness to your personnel for how to resist the urge to click URLs promising to take them to sites with "hot pictures" of famous celebrities, or some other bait that many of your employees will fall for.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
I tell people that if they need to get to their bank/credit institution sites, they need to reference their monthly statement or contact the bank itself in person, if possible rather than search engines and the like. I prefer to be absolutely sure, and then bookmark/record the site for later reference.
Posted by: LonerVamp | May 1, 2007 11:09 AM