Skip Links

Phishing using scary bait

University professor sees a phish about his own job.

Security Strategies Alert By M. E. Kabay, Network World
May 22, 2009 09:30 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

Job offers in phishing e-mail are designed to trick users into revealing confidential personally identifiable information (PII); they may also be hoping to fool victims into sending criminals some money. PhishBucket's article dated Oct. 12, 2008 and entitled "The Two Things Job Phishers Want from You" summarizes the techniques used by phishing criminals. The excellent site organized by PhishBucket.org has a good deal of current information about the latest scams; use "job offer" in the search field for an instant list of reports with specifics.

Recently a colleague (let's call him Watson) who is the chief information security officer (CISO) at a U.S. university forwarded information that he is willing to share anonymously with readers of this column. In mid-May, he received an e-mail urging him to apply for his own job! He checked with the Human Resources (HR) Department and found that, on the contrary, his renewed contract was just being signed by the director. In today's economic climate, readers will understand how scary this phishing scam could be to unprepared employees.

Watson traced the e-mail to a specific company despite its having registered its Web site with GoDaddy.com, which like many other domain name system registrars, makes it difficult to locate the actual owner of domains. Nonetheless, by looking at the e-mail headers and also at the actual Web site referenced in the phishing message and searching for its owners, Watson was able to track down the actual senders of the message, who turned out to have offices in the United States.

Watson analyzed the situation as follows in a report to the HR Department and the University Legal Counsel.

"I am recommending that the University's attorneys prepare legal action against the criminal organization.

There are serious problems here, some of which may violate the CANSPAM Act. That is for our attorneys to decide.

I am sending this report to our IT department with a recommendation to blacklist the offending domain and notifying our chief information officer of this abuse of our data. I am also forwarding a specific complaint about the criminal organization and its tactics to its Internet Service Provider. As I read their Acceptable Use Policies, these criminals have violated those terms and we should be able to get the fraudulent Web site and possibly the originating e-mail account shut down.

The only ways the criminals could have obtained the information in the description of the job they are offering victims are either
• to have harvested some of the victims' e-mail without permission, containing signature blocks, or
• by harvesting data available on the University Web site – where we have an explicit warning that the directories may not be used for unsolicited e-mail. It is not legal to use fraudulent or other illegal means to harvest e-mail in this manner.

Further, under copyright law, the sender owns the copyright to any e-mail (s)he generates; if the criminals did intercept third-party e-mail and used information from those messages without permission of the authors they have likely violated copyright law (17 USC §201 ff). Note that it is no longer necessary to register or even to indicate a copyright. The act of publication to at least one other person is sufficient to establish copyright in most cases and, generally, creation of the document in itself suffices. There is no need for the author to notify anyone that e-mail is privileged: it is so without notification under the copyright law. [MK adds: for a narrated lecture on intellectual property law download a 109 MB ZIP archive containing an MS-PowerPoint file.]

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News