[LINK] The bad guys have won (was Re: www.ipv6.org.au/summit)

Rick Welykochy rick at praxis.com.au
Mon Sep 1 11:41:13 AEST 2008 

Stilgherrian wrote:

> There may also be other data that they don't immediately think of as  
> critical. For example, the very same business client I'm dealing with  
> now has a "birthday club" whereby customers' children are sent a  
> special treat. A database of kids' names, dates of birth, home  
> addresses and phone numbers would be a pedophile's dream... "Happy  
> birthday, Julie. Your mummy Susan asked me to give you a special  
> present."

The next step is to use this information for targeted phishing.

Example: I have received thousands of phishing emails and never fallen
victim until a couple of weeks ago. I was selling a laptop on eBay
and received an email that looked exactly like all the others I had
received from eBay regarding the laptop. The question in the fake
eBay email was "Do you ship to Chicago?". So I logged in using the
link in the email and was phished! It took me about a minute to realise
I had been cheated and I immediately logged into the real eBay and changed
my password.

If an attacker has detailed personal information gleaned from a
user's Windows box they can then send very specific and convincing
phishing emails to the victim.

When you are in a rush and an email arrives that fits exactly what you
expect and what you are currently dealing with, it is much easier to
get suckered.

The good thing about my experience with the eBay phish is that I will
never do that again.

Do what? I will never click on a link in an email without first examining
it and determining whether or not I can trust it.

Aside: another clue was: the email recipient in my case was "Undisclosed
Recipients", so if I had bothered to read the email headers instead of
compulsively jumping in and clicking on the link inside, I would have
immediately suspected foul play.

How often do you pause and read the email headers and evaluate their
veracity or lack thereof?

How many emails do you get every day that ask you to click on a link
to watch a video on You Tube or to grab a joke, a picture or an e-card?

If such an email contains personal information about you, perhaps gleaned
by an attacker who has visited your PC, would you be fooled? Would you be
fooled if you were in a rush and not thinking clearly?

cheers
rickw

-- 
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

Do you realise that in forty years we'll have thousands of old ladies
running around with tattoos and rap music will be the golden oldies?
       -- Maxine

More information about the Link mailing list