The Hindu Business Line : Cyber crooks play on ‘thrift’ sentiment

Coimbatore, Oct. 22 It is not unusual for cyber crooks to target e-mail accounts, but when the criminals exposed over 10,000 Hotmail users’ passwords and posted them on a site, the information breach could not be ignored.

The criminals did not stop there. They also posted 2,000 e-mail accounts from Gmail, Yahoo and AOL and others online, said Trend Micro’s Product Marketing Manager for APAC, Mr Abhinav Karnwal, citing a BBC report.

Experts at Internet security firm Trend Micro seemed to have intercepted this in the early hours of October 6. “We were sure it was not a data leakage or information stealing exercise, but a phishing attack,” Mr Karnwal told Business Line.

While cautioning users about opening unknown e-mails or attachment, he said, “Cyber criminals are always on the prowl playing on the consumer landscape of thrift by creating economically-themed e-mails, fake e-coupons, bogus work-at-home schemes and other tactics to cash in and save money. So change your password frequently, type the URL instead of clicking on the link, install updated anti-virus software to protect your system.”

Stating that these cyber crooks used phishing to dupe users of Web-based e-mail services into revealing account and access information, he said, “This is a complex social engineering technique used to trick people into revealing information online or downloading malicious attachments or software onto their computers.” Hackers adopted this technique to dupe users of Microsoft’s free Web-based e-mail service and got the users credentials illegally.

“Microsoft has, however, taken measures to block access to all of the accounts that were exposed. Meanwhile thousands of Hotmail service users information were posted online.”

Spy-phishing

He explained that traditional phishing involved sending out e-mail messages that lead users to a fake Web site that resembled the login pages of certain institutions or companies. “Spy-phishing is a blended threat that combines both phishing and data-stealing malware to prolong attacks beyond the point of availability of a phishing Web site. In this way, criminals can obtain sensitive user information without enticing users to log on to a fake page. They accomplish this by planting a spy in users’ systems so any relevant user action can be transmitted to a remote server. Unprotected users thus stand to lose sensitive information. The spam is personalised and targeted at a specific group of people or organisations in spear phishing.”