Marketing Genius from Maple Creative

HOME

Marketing tips, observations & philosophy, plus a few rants and random musings - from those who practice, preach and teach marketing, research, advertising, public relations and business strategy.

Friday, May 18, 2007

New Phishing E-Mail - Frighteningly Realistic

Continuing on the e-mail saga, I was reminded that we cannot be too careful these days. Whether you are a marketer or not, you should be wary of opening anything from an unknown source, anything that is unsolicited--and especially anything with embedded files or code. I share this story in the hope that it will help you avoid the hazards of e-mail viruses, phishing scams or identity theft. This one almost got me.

Earlier this week I was shocked to see an e-mail message from the Better Business Bureau notifying me that someone (a Marcia E. Whittington - I have never heard of her) had filed a complaint against Maple Creative. While I was not aware of anything that we had knowingly done to warrant such a filing, I was troubled by the message.

It looked official to me ... at least initially. The message originated from a sender with the Better Business Bureau suffix (bbb.org). Plus, it had the organization's logo masthead graphic embedded into the message. Topping this off was an apparent case number that had been assigned.

However, upon further examination, I noticed in the message text a hyperlink. Through my message preview pane I placed my mouse over the hyperlink and saw that it was linked to an odd URL with ".exe" at the end. This indicates an executable file, or progam code. I knew better than to click on any hyperlink to executable code or files. At that point, I became more suspicious and set out to search for "Better Business Bureau e-mail hoax." After some surfing and searching, I found the following press release on the BBB site.

BBB Issues Alert for Phishing Attack Targeting Thousands of Businesses and Consumers

Scam uses the “BBB” Name to Attract Victims

For Immediate Release

UPDATE - Arlington, VA, March 1, 2007 - The Better Business Bureau System warns all businesses across the United States and Canada of a spoofing scam using the BBB name and a false BBB e-mail address to entice recipients to access potentially damaging hyperlinks.
In February, a firm had its computer system hacked and that firm's system generated thousands of counterfeit messages to businesses and consumers, purporting to be a complaint filed with the BBB. Recently, another firm was hacked and similar emails have been received by businesses across the country.


The attack has NOT affected the computer system of any BBB nor have any of their data been compromised. As with most other phishing attacks, the perpetrators have attempted to pose as a respected business to gain the confidence of phishing victims. The BBB is working with authorities to thwart these malicious attacks.

The most recent e-mail has a false return address of consumer-complaints@bbb.org and a phishing hyperlink citing a BBB complaint case number, for example, "DOCUMENTS FOR CASE #BBA749BED0". These links actually direct access to a subdirectory of the hacked firm's website where users are asked to download documents related to the complaint. The download is actually an executable file that is believed to be some form of a computer virus.

All recipients are advised that any e-mail from the consumer-complaints@bbb.org address is not coming from any BBB and should be considered counterfeit. The BBB strongly encourages recipients of any such message to delete the message immediately without clicking on the "DOCUMENTS FOR CASE" links.

The phishing e-mail return address of consumer-complaints@bbb.org does not exist and is being "spoofed." Spoofing occurs when an e-mail address is altered to appear as if the message originated from a legitimate source. This is a common practice for both spam e-mail and phishing operations.

Phishing is a term coined by computer hackers, who use e-mail to fish the Internet hoping to "hook" recipients into giving them logins, passwords and/or other sensitive information. In all these scams, the phisher first impersonates a legitimate company. In a typical scam, the phisher instructs recipients to click on a convenient link to receive or provide information that can then be used by phishers to access the recipient's sensitive personal or business information. For more information about phishing and for tips to avert other scams, please visit www.bbb.org.

# # #

Labels: , , , , , , ,

1 Comments:

Blogger Michael Durnack said...

This tpye of attack is better known as spear phishing.

It is targeted at the reciever with personalized information that provides a feeling of legitimacy due to specific associations.

The best defense for protecting your information is self defense.

9:08 PM

 

Post a Comment

<< Home