Yesterday we published our annual report, which includes my favourite topic – how the threat landscape’s going to change in 2009. One of the things we expect to see is an increase in the number of phishing attacks and scams on the Internet:
“Secondly, the technical sophistication needed to develop and spread new malicious programs will force many cyber criminals to search for simpler and cheaper ways of making a profit. Phishing may be one of the more attractive solutions.”
And, whether by coincidence or design, yesterday I got an email which is just what I’m talking about above – a scam that’s easy and cheap to implement.
Subject: please see the attachment
Sender (fake): Internal Revenue Service [firstname.lastname@example.org] Message: Please see the attachment make sure you fill all the columns and send fax to: +1-646-308-1145.
This type of phishing has been around for a while, but it’s the first time I’ve received a message like this – maybe I’ve just been lucky, because I know my address is all over spammer databases 🙂
This is so-called offline phishing; the bad guys don’t even go to the trouble of making a fake site, but just ask you to fax through all your details. Using a fax number gives an additional aura of credibility to the whole thing – most people have heard of phishing sites, but a lot of them won’t have heard of phishing by fax. And the combination of a government department and a fax number fits perfectly with the perception that public institutions are more than a bit behind the times.So what threat do these messages pose? (Apart from the obvious scam factor, that is.) Well, files attached to messages could easily contain malicious programs – the sample I got had two Word docs attached. There’s nothing that makes this type of file inherently less dangerous than executables. If you’ve been following the news, you’ll know about the unpatched vulnerability in Adobe PDF Reader, and that it’s being exploited using OLE files – that’s just one example of the threat that MS Office files from untrusted sources can pose.
Because we’re experts, though, we know how to open files like this safely. So we did, to take a look at what the authors of the email wanted from us.
This is what’s in the file called Form W-4100B2 A1.doc.
And this is what’s in the file called Form W-4100B2A2.doc.
It’s pretty clear that the information you’re asked to give is exactly the type of information which always features in media reports about data leaks. And exactly the type of information that the bad guys can use to do a thousand and one bad things…all under your name!
Let’s dig a bit deeper and take a closer look at these documents or rather, at their properties.
The second file claims to be FORM W-4100B2. A quick Google gives results for a similar mass mailing back in November 2008. There’s an example here and you can see that since November, the only thing that’s been changed is the fax number.
However, the document properties show it was originally called FORM W-8BEN (NRA Recertification). Another quick Google shows results for scams which used this document running from the beginning of 2007 up until autumn 2008.
It’s no surprise that this form is almost identical to a genuine IRS document which has the same name. The only difference is that the legitimate form clearly states “Do not send Form W-8BEN to this office. Instead, give it to your withholding agent” rather than asking for information to be faxed back.
So the file properties show the old file name, even though it’s currently circulating under a different name. Makes it look almost certain that it’s the same person (or group of people) behind all the attacks – s/he just recycles the original file with slight modifications. We even know that this was last done on 22nd November 2008.
I find this pretty depressing. Someone’s been sending out these messages for at least the last two years, just tweaking the attack sometimes by changing the fax number and the name of the documents. And it looks as though they’re not having any problems at all.
See for yourself. Take a look at the number – +1-646-308-1145. It’s only linked to the current attack. Take a look at the complaints from victims. Take a look at the IRS site which has info about attacks like this. And what action is being taken? As far as I can see, none.
I don’t know the details of US law regarding anonymity for the owners of phone numbers. It just strikes me as pretty strange that for a long time now, the guys behind these attacks have been exchanging their old numbers for new ones without anyone trying to track them down and arrest them.
Take care of yourself, and take care of your personal details. “Phishing for dummies” is going to happen more and more often in 2009. It’s easy. It’s cheap. And at the moment, there doesn’t seem to be much danger of getting caught.