Email scams increasingly sophisticated

Two news stories illustrate the increasing sophistication of email security threats.

The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more.

Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social networking sites or elsehere off the Web) to fool them into following dubious links. Their PCs are then infected with malware, typically keylogging Trojans according to the article. Thereafter, everything the exec types in (bank details, passwords, secret documents, whatever) is also available to the scammer. Nasty.

Both stories demonstrate the effectiveness of social engineering methods. We humans naturally trust our friends and acquaintances. Scammers who somehow succeed in appearing to be our friends and acquaintances are taking advantage of that trust.

UPDATE Dec 11th: The "I'm stuck in Nigeria - please send money" email scams evidently work just as well in India too.