Phishing using scary bait

* University professor sees a phish about his own job.

Job offers in phishing e-mail are designed to trick users into revealing confidential personally identifiable information (PII); they may also be hoping to fool victims into sending criminals some money. PhishBucket's article dated Oct. 12, 2008 and entitled "The Two Things Job Phishers Want from You" summarizes the techniques used by phishing criminals. The excellent site organized by PhishBucket.org has a good deal of current information about the latest scams; use "job offer" in the search field for an instant list of reports with specifics.

Recently a colleague (let's call him Watson) who is the chief information security officer (CISO) at a U.S. university forwarded information that he is willing to share anonymously with readers of this column. In mid-May, he received an e-mail urging him to apply for his own job! He checked with the Human Resources (HR) Department and found that, on the contrary, his renewed contract was just being signed by the director. In today's economic climate, readers will understand how scary this phishing scam could be to unprepared employees.

Watson traced the e-mail to a specific company despite its having registered its Web site with GoDaddy.com, which like many other domain name system registrars, makes it difficult to locate the actual owner of domains. Nonetheless, by looking at the e-mail headers and also at the actual Web site referenced in the phishing message and searching for its owners, Watson was able to track down the actual senders of the message, who turned out to have offices in the United States.

Watson analyzed the situation as follows in a report to the HR Department and the University Legal Counsel.

"I am recommending that the University's attorneys prepare legal action against the criminal organization.

There are serious problems here, some of which may violate the CANSPAM Act. That is for our attorneys to decide.

I am sending this report to our IT department with a recommendation to blacklist the offending domain and notifying our chief information officer of this abuse of our data. I am also forwarding a specific complaint about the criminal organization and its tactics to its Internet Service Provider. As I read their Acceptable Use Policies, these criminals have violated those terms and we should be able to get the fraudulent Web site and possibly the originating e-mail account shut down.

The only ways the criminals could have obtained the information in the description of the job they are offering victims are either

• to have harvested some of the victims' e-mail without permission, containing signature blocks, or

• by harvesting data available on the University Web site – where we have an explicit warning that the directories may not be used for unsolicited e-mail. It is not legal to use fraudulent or other illegal means to harvest e-mail in this manner.

Further, under copyright law, the sender owns the copyright to any e-mail (s)he generates; if the criminals did intercept third-party e-mail and used information from those messages without permission of the authors they have likely violated copyright law (17 USC §201 ff). Note that it is no longer necessary to register or even to indicate a copyright. The act of publication to at least one other person is sufficient to establish copyright in most cases and, generally, creation of the document in itself suffices. There is no need for the author to notify anyone that e-mail is privileged: it is so without notification under the copyright law. [MK adds: for a narrated lecture on intellectual property law download a 109 MB ZIP archive containing an MS-PowerPoint file.]

The criminals are offering potential victims a chance to apply for the jobs they currently hold. Since the perpetrators know from the harvested data that the recipients already hold the specific positions being fraudulently offered, they know that they cannot deliver on their offer: these are classic bait-and-switch tactics, which are illegal.

These actions are harmful to the university and I have instructed HR to notify all our faculty and staff to be wary of all similar communications, especially from the particular organization involved in this case, until we permanently block all domains that we can associate with these criminals."

* * *

Readers will understand that if employees who are not aware of this scam receive similar e-mail, there's a good chance they will be alarmed and click on whatever link is in the phishing message to find out what's going on. Once on the rogue Web site, all bets are off. Employees might download malware or fill in forms that ask for PII that can result in identity theft.  Readers should emulate Watson and make sure that all employees know that unsolicited job offers for their own jobs are scare tactics designed to trick them into giving away control over their own information to criminals.

Let's fight fear tactics with knowledge and awareness.

Learn more about this topic

How to run an effective simulation

Facebook targeted by fresh round of phishing

Spam, phishing, pharming and spyware

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies