Email-based scams are the current attack of choice for phishers, and have prompted widespread warnings about being too casual with your passwords.
Users of Web-based email services such as Windows Hotmail, Google Gmail and Yahoo Mail have been targeted by scammers. Their accounts are compromised and then used to send spam emails to recipients in the user’s address book.
The emails usually invite the recipient to visit a particular Web site for shopping bargains or “exclusive” videos and images. These sites host malware, which will be injected into the user’s computer if they go to the site. Because the email invitation appears to have come from someone they know, they’re more likely to accept the invitation.
Cybercriminals have realised that many people use their free Web mail account address to open financial, social network, travel and other online accounts. Trouble is, they’re careless about security. A recent Sophos survey found 33% of the respondents used just one password online, while 48% used just a few different ones. This makes them much easier to crack, giving cybercriminals a legitimate email address from which to send spam and other nasties. (See tinyurl.com/gmailsec for security tips for Gmail users.)
Social networks have also been compromised. An email scam using Facebook pages has been circulating, advising Facebook users that they need to update their passwords. Opening the attached document downloads a Trojan capable of stealing passwords and allowing in unwanted applications. Twitter users have also been lured to fake login pages by direct messages, where their passwords can be stolen.
Anyone receiving unusual emails from familiar senders is urged to check with that person to see whether they actually sent the email. Anyone who may have entered account information in a phishing site should pick a different password immediately.
Anyone visiting a Web site by invitation should check that it is genuinely secure – look for the prefix ‘https’ in the address.
For advice about secure passwords, read the security feature in September’s NetGuide, page 36.