Twitter recently being hacked
Twitter Blog: Gone Phishing is just the latest example of Spear Phishing. Luring someone in based on a common affiliation.
Lately, a new technique, predicted by the University of Indiana talks about gaining the trust of the recipient by putting recognized names and other familiar details into the email body. This makes the email look "genuine" and significantly increases the chance that the recipient will act on the message (the action rate increases 5 times over a "normal" Phishing scam, according to the study).
Social Phishing is a type of highly targeted "spear Phishing" attack that could be made on a few thousand people with high success rates. The University of Indiana study showed a 74% response rate. The control group has a 16% response rate. Correcting this for the typical 3% control response rate (university students are more trusting or less risk averse than the population at large), gives a success rate of about 12%, which would be very productive for the Phishers.
In the on-line world, Phishing has been very successful (for the Phishers). But users are becoming much more savvy, so they are not getting "hooked" as much. For example, the Nigerian email scam is laughably lame now. I have to believe they continue these out of habit, like a dog barking to get a bone. People recognize the fact that there is no personal information in the email. That is the main flaw with "generic" Phishing attacks.
Lotus Notes User Network Penetrated
Fast forward to today. Take the Lotus users' various networks. Searching PlanetLotus.org, various blogs and the IBM Notes/Domino 8 Forum would enable anyone to find many names, and quickly identify the popular names based on the number of times it is mentioned. Without a lot of work, you could build a web of connections to be able to pretend to part of the network, or pretend to be referred by someone you know. (A friend of a friend).
That is how Bernie Madoff (pronounced Made-Off, which in English means "to steal") worked his Ponzi investment scheme. Trust. People trusted him because other people trusted him. That is how the "confidence" game works.
Once a network is penetrated, it will be pretty easy to get users to act on emails. Crafting an email would be easy. Even a non-Notes users could take a blog or forum posting from an individual who is frequently mentioned and use it to simulate subject matter expertise. Finishing it off with a request or other action and you have a powerful tool for fraud.
An Email "from" Volker Weber
To penetrate a community, a Social Phishing attack would start by spoofing the name most often mentioned in our Lotus Notes world. Based on PlanetLotus.org's list of Hits in the last 20 days the person most likely to be spoofed would be Volker Weber. Using his name means trust. So, I did what a Social Phisher would do and grabbed a blog posting from Volker's blog to create an example of how said Social Phisher could infiltrate a community and wreak havoc. For simplicity, I shortened it, but it can be seen in its entirety on vowe.net
I then fabricated a plausible story around the blog posting. A real attack would weave real details relating to Lotus Notes with false information or Malware links. I wrote the additions to the blog posting in red, for demonstration, but the Social Phisher would not be so kind to point out the Phishing section!
(Note: This is just a demonstration email. It was not written by Volker. You could take any Lotus Notes or Domino blog and do the same, targeting users in that space, especially those, like me, who freely post their email addresses on-line).
From: volker@vowe.net
To: frank_paolino@maysoft.com
Subject: Winners of the 2009 Lotus Awards
Winners of the 2009 Lotus Awards
by Volker Weber
Best Industry Solution
1. Winner: e-On Integration S.A.
2. Finalist: iEnterprises
3. Finalist: Ascendant Technology
Best Lotus Energy and Environment (Green) Award
1. Winner: KLG Systel, Ltd.
2. Finalist: Alphalogix
3. Finalist: Enterprise Information Management, Inc.
Best Mid-Market Solution Award
1. Winner: iEnterprises
2. Finalist: Pavone AG
3. Finalist: Nortel
...
...
...
Congratulations to all the winners! Click on the links to learn more about the winners and see these excellent Lotus Notes products!
Volker
Find me on-line at:
vowe.net
(these links are the actual links and are harmless.... those in a Social Phishing Attack would not be!)
A spoofed message "from" Volker Weber in this context would be likely to be opened. And the relevant, topical nature of the email would make it widely read.
In a Social Phishing scam, the links would really be Malware such as keyboard loggers. As such, they would be very helpful in gathering all types of information such as PayPal accounts, LinkedIn logins, etc. to continue the scam.
The point is that the Social Phishers are getting a lot smarter, using
context,
recognition
familiarity
to get people to read and act on the emails.
Like spam, these attacks prey on our open protocols (SMTP) and our open Lotus communities. I am not advocating any change in these community sites. PlanetLotus.org, the IBM Forum and all the Lotus Notes blogs are open, and should remain so.
But beware of emails from trusted sources. If you are not sure, reply and ask if they sent it. Do not give personal information in any link provided in an email. With all of these precautions, many of us will still fall prey to these scams.
Here is another blog about Spear Phishing:
Trust and Social Networks: The New Frontier of Phishing
