ITBusiness.ca

Hacked e-mail accounts used in 419 scam “with a twist”

At first blush it seems like a typical 419 (or Nigerian letter) scam – the standard e-mail directing the intended victim to do certain things that supposedly result in a huge payoff to the latter.

But there’s one key difference: many such messages are now being sent to the personal contacts list of unsuspecting users whose Web e-mail accounts have been hacked.

Global spam categories over past 30 days

 

Welcome to the 419 scam with a twist, documented by the July 2008 monthly ‘The State of Spam’ report put out by security company Cupertino, Calif.-based Symantec Corp.

Symantec’s latest report cites an actual case to illustrate the modus operandi.

The user’s Web mail account was hacked and the rogue 419 email was sent to his personal contacts.

“Friends and colleagues received the request for assistance and were urged to respond via e-mail only,” the Symantec report says. “As the hacker took over the user’s account, the real owner would not have known about the e-mail, if recipients fell for the scam.”

To make the message appear more authentic, the account owner’s auto-signature was appended at the end of the message.

In this particular case, the scam did not end there.

According to the Symantec report, after capturing the e-mail account, the hacker got the owner’s online auction site password e-mailed to the account.

“The hacker then began bidding on a number of laptops being sold in the U.K. and instructed that the laptops be sent to Nigeria.”

This scam was not isolated to one particular Web mail provider or organization, the report noted.

Bogus “account expiry notifications” are commonly used by cyber crooks to gain e-mail account information and then take over these accounts, the study suggests.

It urges users to be wary of such notifications and not “provide their account details unwittingly to a third party.”

The harvest is plentiful

The report also recounts other common ways spammers obtain e-mail addresses, many of which are by now well known, such as:

However, in June Symantec observed greater use of a technique that blended illegitimate and seemingly innocuous e-mail harvesting.

The spammer would start out getting e-mail address lists using nefarious methods, but then send out “opt in” marketing requests to those on the list.

A typical e-mail would read: “Do you want to buy any stuff: any kind of pills, oem software, cool porn? Just mail me back, I’ll find the best offer for you.”

The list compiled from those who respond then becomes a “bona fide” opt-in catalogue of persons the spammer can send messages to freely, with no concern about spam traps, or that the message may be blocked by spam filters.

Quake e-mail used to spread viruses

Spammers and other cyber crooks commonly take advantage of natural tragedies – and Symantec witnessed the same phenomenon in the aftermath of the earthquake in China

The security company uncovered a widespread attack where infected e-mails, with sensational subject lines about the China earthquake are used to spread a virus.

Infected e-mails sent out en masse include one of the following subject lines:

– The most powerful quake hits China

– Countless victims of earthquake in China

– Death tool in China exceeds 1000000

– China is paralyzed by new earthquake

The body of the e-mail usually displayed a single line message with a URL link. When the URL link is clicked, a Web page opens up displaying the image of a video player, and instructing the user to play the video “to see the details of this terrible disaster.”

Attempting to play the video, opens an executable file, which Symantec has diagnosed as Trojan.Peacom.D, a Trojan horse that gathers system information and e-mail addresses from the compromised computer.

“The Peacomm family of Trojans are also commonly known as the “Storm” Trojan.”

“Similar attempts have been made in the past using high profile news events to spread viruses via email,” says the Symantec report. “Users should be aware of such attempts, and avoid opening e-mails and clicking on suspicious links.”

Exit mobile version