Thursday, September 20, 2012

If phishers acquire smarts, we're really in trouble

Phishing is a lucrative business. If it weren't so lucrative, people wouldn't take the time to perform it. While phishing doesn't take a lot of effort, it does take some effort, and the phisher needs to get a positive return on investment. Often, he/she does.

One morning, I received an email from a former co-worker's private email account. For some inexplicable reason, my employer's mail filters directed this email to my junk mail folder, instead of my inbox. I can't understand why, though, since my former co-worker wanted to share some wonderful information with me. The email included a link, preceded by this text.

wow this is pretty awesome you should give it a look

"Odd," I thought. "My former co-worker is a very intelligent person, and usually she writes in complete sentences. Maybe she's sick or distracted and isn't able to write to her usual standards."

My eagerness to click on the link that she provided was overridden by my concern for my former co-worker's health. I went to her Facebook account to see if she was ill...and discovered a message from her saying that her email had been hacked. Imagine that! Who would have guessed?

Seriously, the one thing that is disappointing about phishing attempts is that so many of them are written so poorly. Samuel Kofi Atta Mills sends faxes in ALL CAPS. My former co-worker has apparently forgotten to use ANY caps (or periods).

Yet in some cases these phishing attempts work extremely well. Take a step back and pretend that you had never seen one of these things before, and weren't aware of the dangers. Now be honest - if a good friend of yours sent you a link and said that it was awesome...wouldn't you click on it?

Many people do.

But imagine how many people would click on these links if the phishers just took the time to write their messages in proper English.

But there's an even greater danger.

In the case of my former co-worker, the phisher gained access to her personal email account. What if, before sending out the phishing message, the phisher had taken a couple of minutes to analyze the contents of that account? Find out some information about the holder of the account, phrases the person likes to use, etc. In that case, I might have received a message like this - and fallen for it:

Hey, John, how are things? I'm loving Southern California even though I'm still a Badgers fan. You have to check out this link. Woo hoo!

This is possible, and it may even be possible to automate it.

Then we're really in trouble.
blog comments powered by Disqus