Web sites that use e-mail addresses as identifiers for password reminders and registration are open to exploitation by scammers to generate detailed profiles of people, security company Blue Security said this week in a research report. (Click here for the PDF.)
In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer.
Web sites that use e-mail addresses in their password-reminder and registration process could enable scammers to generate detailed profiles of people.
The more malicious e-mail gets tailored to the recipient, the more careful Internet users may have to become--an added burden on them.
Using information gathered from a number of sites, they can tailor malicious e-mail to the recipient. That makes it more difficult for Internet users to distinguish real messages from those that are junk or part of a cyberscam. Also, customized messages are less likely to be caught by spam filters, experts said.
"Phishing attacks fairly recently have started getting more personalized and targeted," said Dave Jevans, chairman of the Anti-Phishing Working Group. Such fraud-related messages now include the recipient's name or e-mail address, or have even more information about the receiver, Jevans said.
is a prevalent type of online fraud that attempts to steal sensitive information such as user names, passwords and credit card numbers. The thieves then sell the information or use it to commit identity theft. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.
Scammers usually have lists of e-mail addresses, either invented, bought or collected online using harvesting tools.
The trick in the registration or password reminder attack is in the response. Many online businesses return a specific message--such as "This address is already subscribed"--when an e-mail address is registered with the site. If an attacker gets that response, they know that address represents a valid customer.
How does profiling work?
This example illustrates how cybervillains could build up profiles of a potential victims, to better target their scams.
Source: Blue Security
By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address, Blue Security CEO Eran Reshef said.
"Imagine that somebody knows all the Web sites you ever registered with, and think about what one can infer from that," Reshef said. "By aggregating all this information you create a very detailed profile of the person, not just snippets of information."
As a result, attacks could have a higher success rate, because the e-mail presents unsuspecting recipients with accurate information in a message that looks like legitimate correspondence. For example, an e-mail purporting to come from a bank or credit card company could name the recipient and refer to an online store that the recipient actually uses.
Blue Security has found that a majority of the most popular U.S. Web sites allow "hostile profiling" by phishers and spammers. Additionally, many smaller Web sites, including online stores, sports teams' Web sites, political organizations and other groups are vulnerable, Reshef said.
However, hostile profiling does not seem to have become widespread yet, according to Blue Security's research.
Some Web site operators--major banks, for example--appear to be aware of the problem, Reshef said. These sites don't let people register