This is not a spear phishing attack meant to target any particular business or group of people. The IRS had also been used in a phishing scam in February involving stimulus package payments. The IRS, however, doesn't even know your email address and will never contact you with official business over email according to Sam Masiello, vice president of information security at MX Logic. Reipients are advised by the IRS to forward the emails to phishing@irs.gov.
You can see a sample of the email and fraudulent link here: http://www.mxlogic.com/itsecurityblog/1/2009/09/5E.New-Malware-Campaign-Spoofs-the-IRS.cfm
This is just another example of what people are going to attempt to do in order to scam people. They are willing to impersonate something such as the IRS. The email even appears from no-reply@irs.gov which gives the email another item to try and prove its legitimacy.
People need to always continue to be wary of email that comes from distant sources. People even need to be always on the alert even with people they know. People who end up getting the trojan need to get that taken car of as soon as possible. Having a trojan on your computer just leads to more and more problems (I know from past personal experience). So, be diligent, and when it comes to email, it almost seems like you actually shouldn't ever trust the government, just like so many people say.
Sources:
Kaplan, Dan. "Cutwail botnet authors behind wave of malicious IRS spam." SC Magazine. Sept. 09, 2009. Web accessed: Sept. 11, 2009. http://www.scmagazineus.com/Cutwail-botnet-authors-behind-wave-of-malicious-IRS-spam/article/148474/
Posts
It is reasons like this that I think phishing will be around for a long time. There are so many schemes, and there will always be at least some gullible people out there who will fall for these tricks. As fake emails begin to look more and more legit, especially coming from what appears to a government source with legal consequences for not answering, people are likely to panic and do what the email directs them to do. While many people now know to look at links' addresses, etc, there are still thousands of people who would not know how to tell whether a decently designed email is legitimate. Even for people who do know what to look for, it is still a pain to have to check the legitimacy of an email by looking up phone calls or looking at official government websites. The difficulty prosecuting these crimes makes them even more likely to continue to occur because there is relatively little risk in executing them.
ReplyDeleteI agree with TMGP that as long as there are hackers out there, there will be people gullible enough to fall for their schemes. Though this email doesn't look nearly as legitimate as the fake subpoena we saw in class, the fact that it is coming from the IRS is enough to scare people into clicking the link. These hackers know what they're doing by using government agencies that people do not want to cross. Even the most intelligent people do not want to be found breaking the law. Also, hackers know that a large majority of people will not fall for it. That's why they send out 90,000 emails (in this case), hoping to fool just a few people.
ReplyDeleteI think also you look at how e-mail has evolved into our daily life. I receive e-mails daily and my inbox is always flooded. People today are always on the run and quickly check the e-mails without thoroughly looking them over. Combined with the mass amount that the hackers send out, they are bound to find the people who carelessly check their e-mails.
ReplyDeleteI can see how a person might be so flustered by the possibility that they broke some law or failed to pay their taxes that they would fall for this phishing scam. In theory it seems pretty obvious that you should never open an email from a government agency like the IRS which wouldn't send such private information over the internet. In the real world however, sensitive information is sent via email all of the time: bank statements, credit card receipts, etc. I think it has become really difficult for the average computer user to tell what is legitimate and what is a scam. I think that maybe private and government organizations need to take more responsibility in letting their users know that they would never send an email asking for sensitive information.
ReplyDeleteI think that older generations struggle with phishing attacks the most because they have not been informed of all the negative consequences a simple, wrong click can do. As educated individuals we are aware of hacking and phishing scams and think we are too smart to be fooled by them but this is definitely not true. Just because we think we know what to look for and what to avoid, the modern day hackers are getting better at their methods and becoming more sneaky.
ReplyDeleteI just read an article about 100,000 MySpace accounts being compromised by using fast-flux botnets which changes the IP addresses dynamically which makes tracing them nearly impossible. This just happened in 2007 and by using the botnets hackers get away with stealing personal information from thousands of people, at an extremely rapid pace.
Even though most emails don't look legit, it doesn't matter because anyone and every is a victim on the internet's endless opportunities for hackers to attack with just one click. It's unfortunate, but it is going to keep happening and the hackers are going to keep improving their ways of doing it.
I agree with slp. I think that the best defense against phishing is information. The more familiar a computer user is with phishing attacks, the better he will be at avoiding them. When it comes to preventing phishing attacks, there is not much that can be done. However, the proliferation and efficacy of these email scams can be battled by an informed public. I think that as younger generations begin to dominate computer and email usage, phishing scams will become less and less fruitful for hackers and will eventually decrease.
ReplyDelete