By Joris Evers
Spammers and phishers are learning more about potential victims to
better hone their attacks. Web sites that use e-mail addresses as
identifiers for password reminders and registration are open to
exploitation by scammers to generate detailed profiles of people,
security company Blue Security said this week in a research
In the technique described in the report, spammers and phishers
automatically run thousands of e-mail addresses through Web site
registration and password-reminder tools. Because many online
businesses return a specific message when an e-mail address is
registered with the site, attackers can find out whether that address
represents a valid customer.
Web sites that use e-mail addresses in their password-reminder and
registration process could enable scammers to generate detailed
profiles of people. Bottom line: The more malicious e-mail gets
tailored to the recipient, the more careful Internet users may have to
become -- an added burden on them.
Using information gathered from a number of sites, they can tailor
malicious e-mail to the recipient. That makes it more difficult for
Internet users to distinguish real messages from those that are junk
or part of a cyberscam. Also, customized messages are less likely to
be caught by spam filters, experts said.
"Phishing attacks fairly recently have started getting more
personalized and targeted," said Dave Jevans, chairman of the
Anti-Phishing Working Group. Such fraud-related messages now include
the recipient's name or e-mail address, or have even more information
about the receiver, Jevans said.
Phishing is a prevalent type of online fraud that attempts to steal
sensitive information such as user names, passwords and credit card
numbers. The thieves then sell the information or use it to commit
identity theft. The schemes typically combine spam e-mail and
fraudulent Web pages that look like legitimate sites.
Scammers usually have lists of e-mail addresses, either invented,
bought or collected online using harvesting tools.
The trick in the registration or password reminder attack is in the
response. Many online businesses return a specific message -- such as
"This address is already subscribed" -- when an e-mail address is
registered with the site. If an attacker gets that response, they know
that address represents a valid customer.
How does profiling work?
This example illustrates how cybervillains could build up profiles of a
potential victims, to better target their scams.
.. An attacker obtains a list of e-mail addresses. The scammer can
buy a list, collect addresses from the Internet using harvesting
tools, make up e-mail addresses, or use other means.
.. A script is written to automatically run the e-mail addresses
against the registration and password-reminder features of Web sites.
.. Responses let the attacker know if an address is registered with the
site. The data is used to compile profiles.
.. Profiles are used to target spam and phishing e-mails.
Source: Blue Security
By matching e-mail addresses with Web sites, cybercriminals can
uncover the gender, sexual preference, political orientation,
geographic location, hobbies and the online stores that have been used
by the person behind an e-mail address, Blue Security CEO Eran Reshef
"Imagine that somebody knows all the Web sites you ever registered
with, and think about what one can infer from that," Reshef said. "By
aggregating all this information you create a very detailed profile of
the person, not just snippets of information."
As a result, attacks could have a higher success rate, because the
e-mail presents unsuspecting recipients with accurate information in a
message that looks like legitimate correspondence. For example, an
e-mail purporting to come from a bank or credit card company could
name the recipient and refer to an online store that the recipient
Blue Security has found that a majority of the most popular U.S. Web
sites allow "hostile profiling" by phishers and spammers.
Additionally, many smaller Web sites, including online stores, sports
teams' Web sites, political organizations and other groups are
vulnerable, Reshef said.
However, hostile profiling does not seem to have become widespread
yet, according to Blue Security's research.
Some Web site operators -- major banks, for example -- appear to be
aware of the problem, Reshef said. These sites don't let people
register with their e-mail addresses as their login name, he
said. They also require additional information for registration or
password reminders, or use other security measures.
Have you ever been phished?
Check here to see whether an e-mail that appears to be from your bank
or an online merchant is actually an attempt to defraud you. eBay is
one online business that does not allow registration and password
reminder attacks. The auction Web site stopped using e-mail addresses
as user IDs before phishing became an issue, and it has taken other
protective measures in its registration and password-reminder process,
said Scott Shipman, senior counsel for eBay's global privacy practice.
"It is all designed to prevent the unauthorized disclosure of
information, be it the simplest piece of information, such as whether
or not that e-mail address or user id is actually a valid user ID on
the site," Shipman said.
In eBay's case, the reminder feature for user IDs gives the same
response, regardless of whether the e-mail address is registered with
the site. "The language of the error message will not tell you whether
or not it was a valid account," Shipman said.
What will foil the attacks?
Attacks work only if sites generate a different response depending on
whether an e-mail address is registered with the site or not.
.. A registration feature can only be exploited if the Web site
uses e-mail addresses to register users and does not require a
hard-to-fake personal detail, such as a credit card number. Other
security features, such as requiring a new registrant to solve a
graphical challenge, will also prevent an attack.
.. A reminder feature can only be exploited if it does not require
personal information in addition to an e-mail address. A graphical
challenge also counters an attack. Designing a Web site to not leak
information about users is what all site operators should do, the eBay
executive added. "It is an example of a type of practice that is a
best practice," he said.
Hostile profiling is only one way phishing messages are getting more
targeted. Earlier this month, security researchers reported that
stolen consumer data was used in phishing scams to rip off individual
account holders at specific banks.
Jevans at the Anti-Phishing Working Group said that Blue Security's
study highlights an emerging phishing threat, and agreed that online
organizations should take steps to eliminate vulnerable registration
and password-reminder features.
"I think the research is real. You can certainly code your site to not
do that, and you probably should," he said.
Copyright 1995-2005 CNET Networks, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, CNET Networks, Inc.
For more information go to: