In light of recent data breaches, compromised companies and security experts have warned users to be vigilant about phishing attacks as cyber-thieves try to trick users into giving up sensitive information, such as bank account numbers, log-in credentials and credit card numbers. With potentially 60 million email addresses stolen from email marketing firm Epsilon and 100 million user accounts compromised on Sony’s various online services, it feels like practically anyone online may be a target of a spear-phishing attack, and that’s not even including all the other victims from other incidents. To learn about the forms phishing attacks may take, eWEEK sat down with Dave Jevans, chairman of security firm Iron Key, Forewarned is forearmed, right? Except it appears that cyber-criminals have come a long way since the days of poorly written and nearly imcomprehensible messages that used to presage a phishing attack. "Hackers are actively trying to get the information," Jevans told eWEEK. And looking at the list in this slide show, we aren’t sure we would recognize some of these tricks as scams. Would you?
of
Password Resets
Perhaps the most well-known type of phishing, the email claims something is wrong with the user account and asks that the user log in to “reset” or “secure” the account. This may be a link to a page or an attached HTML file.
That Enticing Ad
Perhaps it’s a free iPad, or you won free airplane tickets because Osama bin Laden is dead. Or the ad is for an online multiplayer game everyone has been talking about. Malvertisements, or advertisements that link to malicious sites, are a growing problem and can trick users into going to phishing sites while surfing on legitimate pages.
The All-Important Work File
These are commonly seen in large organizations where no one is familiar with all the managers or employees. This scam pretends to be an internal message with a relevant attachment. It can be a “new” template for expense reports, or an “updated” organization chart. The latest PDF exploits successfully used this scam to download data-stealing malware onto the user’s machines.
Wanted: A Job
Attackers can respond to a job posting on any of the legitimate boards and attach a document or include a link under the pretext of applying for a job. No HR person would think twice about clicking on the link or opening an attachment loaded with data-stealing malware, such as a keylogger.
LinkedIn Requests
Here’s a good example of how attackers select victims to spear-phish. Based on the job title or company name, attackers identify the pool of people to send a fake LinkedIn request. When the user clicks on the link, they are directed to a fake LinkedIn page and asked to log in. Don’t accept LinkedIn requests by clicking on the link; go to the site manually.
Fake Auctions
Attackers can put up a fake auction on eBay and other legitimate sites. Users looking for a deal find the auction listing and click on the link purporting to have more details—an image of the sale item, for example. When they are redirected to the malicious portal, data-stealing malware is downloaded onto the computer.
Help! I am Stranded!
Someone has been robbed while in Spain, London, somewhere, for a visit. No money, no passport. Please wire money, they say. Even if it’s your favorite Uncle Andy, don’t click on the link. Uncle Andy can call collect and ask for help. (Or call Aunt Bea to make sure Uncle Andy is in Spain in the first place.)
Nigerian Scam
While derided for its poor grammar and unbelievable claims of untold wealth, these scams are around precisely because people still fall for them. Purporting to be from a well-connected person in Nigeria, China, North Korea, Libya, etc., trying to move money out of the country, the user is offered a cut of the money for providing a bank account to help transfer the funds. Even more unbelievable is that people will foolishly send the number for an active savings or checking account that contains their personal funds. When they do, the scammers will clean out the account and leave behind shattered dreams of wealth.
The Unexpected Bequest
A variation of the “trying to get my money out of the country” scam, this version claims someone who was a great philanthropist has died and decided to leave all the money to charity. If the news of an inheritance shows up in the in-box, odds are it’s a scam. Lawyers are more likely to rely on the United States Postal Service.
Not Quite the Right URL
While not as common, the trick of setting up a fake phishing site at a URL that looks similar to the real one is still around. Most are not as blatant as the infamous wwwbankofamerica.com site from 2003, and just have the site name “Chase” embedded in the name somewhere. Then there is the fake SB Capital site, with the URL that looks very legitimate.
Windows Azure is a public cloud platform for building, hosting and scaling applications. Try Windows Azure free for 90 days and get 20GB outbound and unlimited inbound data transfer.
IT Security & Network Security News & Reviews News & Reviews 
Cloud Data Backup Now Makes Sense for SMBs: 10 Reasons Why 
HP, Lenovo, Asus Laptops, Desktops Offer Consumer Style for Busin[..]
Microsoft`s F#: 10 Reasons Why It`s a Hot Programming Language fo[..]
Data Center Efficiency: 10 Tips to Boost Productivity, Reduce Pow[..]
iPhone Apps to Kick Off the 2012 Summer Season 
Email Security: 10 Steps for Dealing With Dangerous Messages
See All Slideshows
In light of recent data breaches, compromised companies and security experts have warned users to be vigilant about phishing attacks as cyber-thieves try to trick users into giving up sensitive information, such as bank account numbers, log-in credentials and credit card numbers. With potentially 60 million email addresses stolen from email marketing firm Epsilon and 100 million user accounts compromised on Sony’s various online services, it feels like practically anyone online may be a target of a spear-phishing attack, and that’s not even including all the other victims from other incidents. To learn about the forms phishing attacks may take, eWEEK sat down with Dave Jevans, chairman of security firm Iron Key, Forewarned is forearmed, right? Except it appears that cyber-criminals have come a long way since the days of poorly written and nearly imcomprehensible messages that used to presage a phishing attack. "Hackers are actively trying to get the information," Jevans told eWEEK. And looking at the list in this slide show, we aren’t sure we would recognize some of these tricks as scams. Would you?