Personal Tech Pipeline | sophisticated spam | Site Flaws Let Spammers, Phishers Build User Profiles

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

May 23, 2005

Web Site Flaws Let Spammers, Phishers Build User Profiles

Courtesy of TechWeb News

Spammers and phishers are using new kinds of attacks to build wide-ranging profiles of online users -- everything from their political views to their sexual preference -- a security firm said Monday.

Blue Security, which has offices in Menlo Park, Calif., and Israel, laid out details of what it's calling "registration attacks" and "password reminder attacks" in a report released Monday. Together, these attacks are used, said Blue Security's chief executive Eran Reshef, to conduct hostile profiling of Internet users.

In a registration attack, a spammer tries to register large numbers of e-mail addresses -- using automated scripts somewhat similar to those used in directory harvest attacks -- with a variety of Web sites. Because sites typically return errors on addresses already in use -- Reshef said his research showed a majority of sites do this -- spammers and phishers can determine not only which addresses are valid, but match an address with a Web site.

"It's one thing to have an address," said Reshef in explaining why spammers go to this trouble. "But with all this additional information, that address is much more valuable. If you want to promote, say Viagra, it's better for the spammer if he can identify those more likely to purchase the product."

By matching addresses with site, spammers can compile a surprisingly in-depth profile, said Reshef. If an address is used by a dating service geared toward seniors 55 and older, for instance, the spammer can assume the owner of the address is in that age group. Ditto for a site that caters to gays and lesbians. Or a site for an NBA team.

Basic marketing, in other words, said Reshef: know your customer.

"They end up with a profile rather than just an e-mail address," Reshef went on. Not only is that make the address more valuable to the spammer, but it also makes it more valuable when the spammer sells his list to others.

A password reminder attack is similar, but takes advantage of the habit of most Web sites to inform users that an address is either in use or not registered when someone requests a password reminder for that address. If the address has been registered, the spammer is usually told that the password has been sent, essentially validating the address.

"With phishing, hostile profiling gets more interesting," said Reshef. "If a phisher knows that an e-mail address is registered with, say, a major online e-tailer, then he can assume you make purchases at that site using a credit card. If he sends a phishing e-mail posing as coming from that e-tailer, it's more likely that you'll respond, since you do buy there.

"These scammers are taking an e-mail address they already know and running it through hundreds of sites," said Reshef to build these profiles.

Even Internet service providers are inadvertently helping out spammers and phishers, added Reshef. Using registration attack tactics, scammers can leverage ISP tools that help users find available addresses. TechWeb was quickly able to verify, for instance, that numerous Yahoo e-mail addresses were already taken and in use.

According to Reshef, nine out of ten major e-mail providers and ISPs leak such information.

Few sites use the simple techniques that can stymie such attacks. eBay seems to be one of them. When TechWeb tried the password reminder technique at eBay, and used the bogus address "," eBay responded with "eBay just sent your User ID to Check your email to get your User ID." It didn't verify that the address was in use on the site or not.

"We believe these kind of attacks are currently in use," said Reshef. "Some high profile sites are taking measures against them, but no one does that to solve something only theoretical, especially when it degrades the user experience."

eBay's method, in fact, could be seen in that light, since it doesn't give any feedback to users who might, for instance, have mistyped their address.

While some site categories are invulnerable to such hostile profiling -- banks, Blue Security discovered, don't use e-mail addresses as user IDs, preventing both registration and password attacks -- most others are. In fact, the majority of recent non-bank phishing targets leak their customers' e-mail addresses to these attacks.

"All sites have to do, is stop using e-mail addresses as user IDs," said Reshef. "Or they could include a CAPTCHA, a graphical challenge that machines can't figure out. That would solve 99 percent of the problem."

The report, which is available on Blue Security's Web site as a PDF file, also includes ways users can determine whether a specific site is vulnerable to registration or password reminder attacks.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
Unleash the Power & Opportunity of Grid Computing
Experts will identify trends in grid computing, provide
examples and examine solution options.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

On the CIO Agenda with IBM
With business growth back on the agenda, the role of the CIO is changing from manager of technology to C-suite collaborator in enabling innovation that matters for the business. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

Block or Secure IM Use
IM threats up 250%. Protect your corporate network. Free Download.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Understand the financial impact of open source.
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss. Go!

Buy a Link Now

Protecting HTTP traffic: An integral part of your security strategy
Stellent eSeminar "Approaches to Metadata Design" on March 23
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia