For this week's Security Watch column and Security Bites podcast, I spoke with Tod Beardsley, lead counter fraud engineer for TippingPoint, a provider of network-based intrusion prevention systems. The column and podcast talk about how social networking can be used for targeted attacks. Toward the end of the interview, I asked Beardsley what was the most interesting case he's worked on in the last six months.
"In the last six months, there was a case involving the Better Business Bureau. This is public. The story there is that the Better Business Bureau keeps these databases of all the complaints they ever get. That's the big sell for them. If I complain to my local Better Business Bureau about some national company, someone else in Spokane, Washington, can reference that, through the Better Business Bureau up there.
"The problem is there wasn't a whole lot of control on these complaint forms. They were accessible over the Internet using a pretty easy brute-force mechanism. So you can get the ID numbers. They're all sequential, they're not random or anything like that. The attack was that a spamming group had enumerated all these complaint forms, and those complaint forms ranged from national corporations to small family practitioners--you know doctor's offices.
"The deal with doctor's offices is that now you run into HIPAA compliance problems because somebody may be complaining about the medication they got prescribed and stuff like that. The interesting part about this is that the attackers were able to correlate the real names with e-mail addresses with particular business complaint numbers.
"What we saw happen was a whole run of spamming campaigns where the victims were identified personally, which hardly ever happens, and information personally about them about a very recent and usually a personally emotional event in their life that was used as kind of a hook for a phishing campaign. 'Come here and log in here and by the way what's your credit card number?' So it ended up being a very effective, very wide-spread, pseudo-spear phishing attack. This is, as far as I know the first time anything on this scale has ever happened."