Security Issues - IT Panel Articles 2007

Social engineering (aka phishing)

There are various types of attack: making a telephone call to find out seemingly innocuous information; sending those enticing e-mail invitations inviting us to help recover large amounts of money, providing we give the recipient our bank details; and bogus web sites that look like the on-line bank we always deal with, but are, in fact, collecting all our passwords and identity details in order to enable the malefactor to authorise the transfer of money out of our bank accounts. We may be familiar with these modes of attack, and the software vendors do try to make it more difficult for attackers to spoof a web site, for instance.

However, despite the valiant attempts by Microsoft and others, the baddies are in the vanguard when it comes to using technology to their advantage. Although we might think we now understand the attempts at e-mail fraud, this problem has now moved to India, where my contacts are now receiving such invitations, and do not know how to deal with them. We may not think that e-mails sent to India affect us, but they do: a contact of mine in India was recently told he had won some money on a lottery, and he was to get in touch with this person (as it appears in the e-mail): Barrister Paul Phillips Solicitors, Advocates And Commissioner Of oath, Address: Harbour Exchange Square, E14 9GB, London, E-mail Tel. No. +447045700555, Fax No +44 870 471 3035.

My contact wanted to know if I could help him verify whether such a law firm existed. The deal was this: the winnings amounted to £500,000, and before he could receive the money, he was required to pay non-resident tax of £1,500 into an Indian off-shore account pursuant to which the prize money would be paid, less his fees of £5,000.

This example is a constant reminder that we need to be aware of the problems that might face us in the future. For instance, in March 2003 silicon.com reported an e-mail sent as a hoax to thousands of addresses that caused a great deal of damage. Somebody sent an e-mail that read:

"If you want to raise a Civil Court action against someone anywhere in Scotland then I am your man. I am a ruthless bastard and I will screw the opposition to the wall even if it means bending a few rules."

The e-mail was purported to have been written and sent by a partner in the law firm Blackadders, based in Dundee. The e-mail contained a signature that included the correct telephone number, name and e-mail address. The firm informed the Tayside police, and the IT department worked closely with the police in an attempt to trace the perpetrator, who used a Hotmail address. Scott Williamson, a partner at Blackadder responsible for IT, is reported to have told silicon.com "What's scary is how this was so easy to do. Any business affected by this kind of thing must realise the ongoing implications".

Domain name hijacking

Some readers may be familiar with problems caused when somebody hijacks a domain name, or even registers a similar domain name to yours. The former occurs when someone fraudulently takes control of a domain name, often by masquerading as the legitimate administrative contact for a domain name. The e-mail addresses of administrative contacts are widely available in the WHOis database of domain registrations, and are used to verify the holder of a domain name. In both cases, the damage inflicted can be significant. One barrister had their domain name misused in this way, and defamatory material posted on the hijacked web site, much to their distress. This matter took some time to deal with, and they had to take specialist advice and help from a firm of solicitors. The effect this had on their daily working life can only be imagined. More recently, PCB Litigation LLP mentioned in newsletter that a firm of English solicitors had fallen victim to a fake website scam, but had been able to do little about it. For a report by ICANN, click here. 

Stephen Mason