Another fake security warning, this time from AT&T Internet Services, is actually a spear phishing attack. Red Condor blocked the attack on Friday, April 2, 2010. The email with the subject line, “WARNING NOTICE from the AT&T Internet Services Security Center,” suggests that the recipient has a compromised email account. The body of the email suggests that “In order to secure your account we have disabled the current password. To access your account you will need to set a new password.”
Recipients are then asked to reply to the email with the following information:
Date of Birth:…………………..
Offline Security Question………………….
The scammers also inform the recipients that he or she should “Never reply to an email with your ID & Password except this one!” The sender’s email account is actually a Yahoo.com address.
While there is no malware involved, nor a spoofed web page, there’s still definitely potential for a significant threat.
Should someone respond to the request for information, they will undoubtedly have their identity stolen.
Once the criminals have the recipient’s email and password, they can find other services the recipient uses, such as a bank, and with the other requested information, scammers can likely gain access to the bank account, open a line of credit in the recipient’s name, etc. It is also commonly reported that after an email account has been compromised, the scammers are quick to send out “stranded friend” scam messages to everyone in the victims address book.
There’s a lot of leverage involved in that small amount of information. For instance, while they don’t ask for the recipient’s full name, first and last names can be easily found in the email account once the attacker gains access to it. With the full name and date of birth, it’s not too difficult to obtain the associated social security number, and once the SSN is obtained, the geographic region where victim was born can be ascertained.
Using these bits of information, the scammer can do background research to find relatives of the victim, their mother’s maiden name, what high school they went to, whether or not they are married and have children, etc. Most security questions are based on this type of information.
The recipient may also have information in his/her saved email that the scammer can use to extort the victim.
In addition, if the recipient is an employee at an interesting corporation, the scammer may be able to trick the recipient into installing a Trojan, which may then be used as a foothold into that corporation’s infrastructure — information which can be very lucrative.
Even if the recipient isn’t very interesting, he or she may have a friend that is, so now the scammer can exploit that person’s trust in the victim and potentially compromise the more interesting target.
On and on, the attack can escalate ad nauseum; all it takes is a foot in the door for an experienced criminal.
In summary, the information requested by the scammer is unlikely to be the end, in and of itself, but rather more of a means to an end. It may be that several criminals are involved, and the compromised account will simply be auctioned off, potentially in bulk. How exactly the data will be exploited would likely depend on what type of data the criminal is able to capture.