Getting Personal

So now the bad guys are taking time to target me, directly, hoping to undo my brand and my blog in order to get to the very people I'm trying to protect. And it's not just me in the online crime fight that they're targeting. On Friday, multiple e-mails I received from a scammer going by the name of Praveen Tapase were cc'd to NetSafe.org, Crime-Research.org, 419scam.org, even an officer in the City of London.

Their intent? To get us to open attachments (is this a real job offer?) and to divulge our trade secrets in how we track down their scams and scam sites. I sent back a note to the first e-mail saying I don't open unsolicited attachments and that I could tell by the crappy writing and the fact he was 'hired unseen without so much as a phone interview" (derived from the unattached part that I could read), that this was general tip off it's a fraud. Another one of my peers sent back much more information on matching area codes in the phone number in the e-mail to a different country of origin, running the body of the e-mail through scamomatic.com/ (which verified it as known fraud), etc. -- all useful to scammers wanting to hone their deceptions.

They're also targeting our brands. For me, it started in June, when a Tim Mukata, managing director of CAL Rwanda, an "IT company in Rwanda" e-mailed asking if he could use my e-Security Awareness Courses to train 8-10 of their employees or their client's employees (it was hard to tell which from his writing). "Unfortunately," he wrote, "our Internet connectivity/bandwidth is not that great here to allow for online courses. Can we work out something, like having the courses downloaded?"

Right, Tim, I wrote back. Like as in I give you Power Points with my brand on them so that you can do whatever you want with them? No way. How about a PDF, I asked. (PDF file locking makes it harder to hack and inject malware into the PDF files.) And, I added, how do you propose to pay for them? Never heard from him again.

What chilled me about this was the possible use of my brand to harm others. Imagine if this Tim guy took my courses and injected a keystroke logger installer into said courses, then started passing them around the Internet as Deb Radcliff's and the Security Consortium's online safety courses, free for use, blah blah and everyone who took them got their passwords to their online banking and other accounts hijacked. Averted, yes, because I could smell the rat.

But what if one slips past me? Today, the bad guys tried just that and went directly to my OnlineCrimeBytes blog by posting a similar-sounding message as a comment in one of my blog sections about online job offer scams. It said:

"I received a job offer letter from Crownjewel Hotel Penang Malaysia. Please let me know is it a scam mail. Regards Pramod" -- Commenter name: crownjewelhotel@... malaysia.com (characters removed for your protection). Contact -- an unassociated e-mail account at Yahoo.

Fortunately, I'm neurotic about reading comment notifications ahead of all other e-mail and deleted it first thing this morning without further inspecting its attachments.

What gives pause is how this has become personal enough for criminals to take the time to specifically get to know their intended victims – in this case public enough figures on the Internet to easily find information about. It also takes time to track down correct contact information, contact them directly, and compose letters/postings that sound just like the victims these public figures are trying to protect.

Darkly, I'm sure they're starting to automate that, selling off lists of well-researched targets and knowing just what to write to motivate those targets to click a link, open an attachment, or post something bad on their sites. It's evident, given that these things are coming in duplicates now, same criminals, same targeted mailing list, different titled scam letter inside.

The trend that security researchers have been talking about for a while now, targeted attacks, are just another way peddlers are gathering virtual information on very real people and using it against us.

• Security
• e-mail scams
• online crime
• online scams