Want CNET to notify you of price drops and the latest stories?

Phishers get personal

Spammers and online fraudsters are exploiting Web site features to learn more about their victims and better hone their attacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Spammers and phishers are learning more about potential victims to better hone their attacks.

Web sites that use e-mail addresses as identifiers for password reminders and registration are open to exploitation by scammers to generate detailed profiles of people, security company Blue Security said this week in a research report. (Click here for the PDF.)

In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer.


What's new:
Web sites that use e-mail addresses in their password-reminder and registration process could enable scammers to generate detailed profiles of people.

Bottom line:
The more malicious e-mail gets tailored to the recipient, the more careful Internet users may have to become--an added burden on them.

More stories on this topic

Using information gathered from a number of sites, they can tailor malicious e-mail to the recipient. That makes it more difficult for Internet users to distinguish real messages from those that are junk or part of a cyberscam. Also, customized messages are less likely to be caught by spam filters, experts said.

"Phishing attacks fairly recently have started getting more personalized and targeted," said Dave Jevans, chairman of the Anti-Phishing Working Group. Such fraud-related messages now include the recipient's name or e-mail address, or have even more information about the receiver, Jevans said.

Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as user names, passwords and credit card numbers. The thieves then sell the information or use it to commit identity theft. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites.

Scammers usually have lists of e-mail addresses, either invented, bought or collected online using harvesting tools.

The trick in the registration or password reminder attack is in the response. Many online businesses return a specific message--such as "This address is already subscribed"--when an e-mail address is registered with the site. If an attacker gets that response, they know that address represents a valid customer.

How does profiling work?

This example illustrates how cybervillains could build up profiles of a potential victims, to better target their scams.

  • An attacker obtains a list of e-mail addresses. The scammer can buy a list, collect addresses from the Internet using harvesting tools, make up e-mail addresses, or use other means.
  • A script is written to automatically run the e-mail addresses against the registration and password-reminder features of Web sites.
  • Responses let the attacker know if an address is registered with the site. The data is used to compile profiles.
  • Profiles are used to target spam and phishing e-mails.
  • Source: Blue Security

    By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address, Blue Security CEO Eran Reshef said.

    "Imagine that somebody knows all the Web sites you ever registered with, and think about what one can infer from that," Reshef said. "By aggregating all this information you create a very detailed profile of the person, not just snippets of information."

    As a result, attacks could have a higher success rate, because the e-mail presents unsuspecting recipients with accurate information in a message that looks like legitimate correspondence. For example, an e-mail purporting to come from a bank or credit card company could name the recipient and refer to an online store that the recipient actually uses.

    Blue Security has found that a majority of the most popular U.S. Web sites allow "hostile profiling" by phishers and spammers. Additionally, many smaller Web sites, including online stores, sports teams' Web sites, political organizations and other groups are vulnerable, Reshef said.

    However, hostile profiling does not seem to have become widespread yet, according to Blue Security's research.

    Some Web site operators--major banks, for example--appear to be aware of the problem, Reshef said. These sites don't let people register

    with their e-mail addresses as their login name, he said. They also require additional information for registration or password reminders, or use other security measures.

    eBay is one online business that does not allow registration and password reminder attacks. The auction Web site stopped using e-mail addresses as user IDs before phishing became an issue, and it has taken other protective measures in its registration and password-reminder process, said Scott Shipman, senior counsel for eBay's global privacy practice.

    "It is all designed to prevent the unauthorized disclosure of information, be it the simplest piece of information, such as whether or not that e-mail address or user id is actually a valid user ID on the site," Shipman said.

    In eBay's case, the reminder feature for user IDs gives the same response, regardless of whether the e-mail address is registered with the site. "The language of the error message will not tell you whether or not it was a valid account," Shipman said.

    Designing a Web site to not leak information about users is what all site operators should do, the eBay executive added. "It is an example of a type of practice that is a best practice," he said.

    Hostile profiling is only one way phishing messages are getting more targeted. Earlier this month, security researchers reported that stolen consumer data was used in phishing scams to rip off individual account holders at specific banks.

    Jevans at the Anti-Phishing Working Group said that Blue Security's study highlights an emerging phishing threat, and agreed that online organizations should take steps to eliminate vulnerable registration and password-reminder features.

    "I think the research is real. You can certainly code your site to not do that, and you probably should," he said.