Beyond V*I*A*G*R*A - Evil Phishing Scams of 2012

Linda Musthaler
By | November 20, 2012

Posted in: Network Security Trends

Beyond V*I*A*G*R*A - Evil Phishing Scams of 2012

You’ve heard the old saying: A chain is as strong as its weakest link. When it comes to IT security within your organization, the weakest link may well be your own workers. It’s human nature to be trusting of others. Scammers and attackers know this and use social engineering in the form of phishing to get people to reveal information or perform an action that eventually leads to compromise or a security breach.

Phishing has changed over the years. What started out as odd messages from a Nigerian prince or ads for pharmacies offering discount V*I*A*G*R*A has morphed into much more convincing messages that appear to come from known and trusted sources. Now the messages seem to come from coworkers, friends and family members, banks and other companies the recipient does business with, government agencies, and so on.

Scammers have gotten much better at putting together a message that makes people want to look at it. Blame it, at least in part, on the human willingness to share lots of personal information on social media websites. The more personal a phishing message appears to be, the easier it is to get the targeted “fish” to take the bait.

According to the Anti-Phishing Working Group, phishing attacks are on the upswing. The APWG compiles worldwide phishing statistics and the numbers for 2012 represent an all-time-high number of phishing sites since the group began collecting this information years ago. The scams are continuously evolving. Once people get wise to one type of scam, the senders change it up and present us with something else.

According to Websense Security Labs, the top five phishing email subject lines in the second quarter of 2012 were:


  1. Your account has been accessed by a third party

  2. LloydsTSB Internet Banking Customer Service Message

  3. Security Measures

  4. Verify your activity

  5. Account security notification

Maybe you recognize getting emails with these subject lines. I sure do.

InformationWeek has issued a report authored by Ron Miller entitled 6 Most Evil Phishing Scams of 2012. This list contains some of the most devious and damaging scams of the year. Looking at five of the top items on the list, you can see how people would easily fall for these. You’ll notice that the use of text message – smishing – is becoming more prevalent.

1.  Altering an Outlook Online Website Address Ever So Slightly

When logging on to email remotely, employees use a form of Outlook called OWA, or Outlook Web Access. Perpetrators of a spear phishing attack used a fake URL that was strikingly similar to the real URL for Outlook access. This fake URL led to a malicious website that looked identical to the authentic OWA login page. When users typed in their Outlook login details, the data was captured by the attackers. The site then automatically redirected to the real OWA page at the correct URL. Unsuspecting victims had no idea they had revealed their information to attackers.

2.  Using Public Social Network Information to Gain Trust

The scammers pick out a subject who has an unprotected Facebook page with lots of details about friends and family—and who has announced a travel itinerary. Armed with this information, the scammer calls the subject’s grandparents, purporting to be a police chief in the foreign city where the subject is traveling, and informs them that the grandchild has been arrested and needs a certain amount of money wired to the foreign city (to a specified bank account) to be released from jail. What loving grandparent wouldn’t be anxious to help a grandchild in trouble in a foreign place?

3.  SMS Mobile Phone Attacks

This type of attack uses SMS spam on a mobile phone. The SMS message appears to come from someone the target knows. This happens when a user gets malware on the phone, or the scammer uses other means to get the phone number and poses as someone the user knows. The spoof SMS spam will include a link, which the user clicks. That enables the scammer to exploit the device to collect various types of information.

4.  Spear Phishing Attacks that Appear to Come from Internal Sources

This type of attack involves the use of spoofed emails directed at employees within the target entity. They appear to come from HR or a colleague, supervisor or trusted contact inside the organization. These attacks include either links to malicious URLs, where a drive-by download attack will occur within the browser, or increasingly, weaponized document attachments such as PDFs, Microsoft Office files and disguised executables. When the employee clicks the link or opens the weaponized document, malicious code runs unbeknownst to the target. The intent is to establish a beachhead for lateral movement into the network in an effort to search for and remove intellectual property and corporate or government secrets.

5.  Fake Tech Support Calls

Microsoft itself is warning its customers about this scam. Callers pretend to be from Microsoft tech support in order to get an individual to install malicious software, use the remote access feature in Windows to take control of the computer, request a credit card for fake services or direct the user to fake websites. Unsuspecting users provide the information or load the software, thinking it’s Microsoft making the request. (The dead giveaway on this scam should be the fact that anyone from Microsoft tech support would call you to provide support for free. Have you tried to get support lately? It’s almost impossible to speak to a human!)

You may think your coworkers are smart enough to avoid phishing scams, but the tricks are getting better as the stakes are getting higher.

You May Also Be Interested In: