The one that got away

Spam is down but phishing is up, and it's more clever than you might think

When I was a child there was a trend for sending ‘chain letters'. An envelope would drop through your letterbox, containing a letter often from a stranger, exhorting you to send a copy on to 12 people you know.

The reason? Absolutely none, unless it was a cunning ploy from the Post Office to sell stamps. How they could do with such money-spinning tactics now.

This was an early form of spam mail, and today seems almost impossibly naïve or even quaint. Nobody really benefitted, because nobody really lost out. Today's spam is rather more sinister, designed as it is to siphon funds from the unwary.

But there have been major victories of late against cyber criminals, with leading security firm Symantec declaring spam to be down 50 per cent globally compared with August this year. This reduction has largely been ascribed to the closure of ‘Spamit', previously the world's largest fraudulent pharmacy affiliate programme.

However, every silver lining has a dark cloud. Even as spam decreases, phishing rises up to take its place. Symantec stated that phishing on social media sites increased 80 per cent in November compared with October.

Phishing is everywhere, and it's not going away any time soon. I've seen it myself in my own inbox. Not so many ‘personal improvement' pills offered perhaps, but dozens of emails each day purportedly from sites and services I've signed up to, asking me to reconfirm my registration. One especially convincing example used my innate fear of cyber crime against me.

‘Someone has changed the email address associated with your account' the message exclaimed. ‘If this person is not you, click this link to take back control of your account'. Knowing that I'd been hacked before on this particular site (all right, online game, I'll stop pretending it was something worthwhile), and that I might well have changed my password back to the one the hackers knew, I was easily convinced.

I clicked the link, fully prepared to enter my details and wrest control away from those irritating cyber criminals. Then my anti-virus software leapt into action warning me that the link was strongly suspected of being a phishing site. Thanks AV, I owe you one.

The first time I was successfully phished was when the hackers somehow managed to get their fake site to appear top in the Google rankings, above the official one. It looked identical to the real thing, but that's the easy part. It even linked through to the real thing once I'd given away my account information, so I was none the wiser until the next day when I lost everything. You don't get to be a cyber criminal without being clever.

So now phishing is all over social media, with Twitter and Facebook unsurprisingly being especially rife, thanks to their popularity. Cyber crims use Trendistic to see the hottest topics not on that particular day, but at that particular second. Then they build a tweet using as many of the most popular key words as possible, embed a malicious link perhaps to their fake AV site, sit back and watch the cash roll in.

For example, England has just, perhaps inevitably, lost the bid for the FIFA 2018 World Cup. I say inevitably because the words ‘success', ‘England' and ‘World Cup' are not commonly seen in the same sentence. Trendistic shows the words ‘FIFA', ‘World Cup', ‘England' and ‘conspiracy' to be hot right now.

Without wishing to provide a crash course in cyber criminality, I'd suggest that a Tweet along the lines of: "England fail in FIFA 2018 World Cup bid. Conspiracy proved: www.downloadmymalware.com." Although I might use something like Tinyurl to disguise the actual name of that link.

Now I'm thinking like a true cyber criminal. Anyway, the message is, keep your AV up to date, and if you think something's suspicious, it probably is. In fact at the rate phishing is increasing, even if you don't think something's suspicious, it probably is.

I wish we could just go back to those chain letters. Mind you, I never did forward any. Waste a stamp on that? Not me.

By Stuart Sumner, Senior Reporter